Name of Your Organization:
惠普开发公司L.P. Web Site:
www.hpenterprisesecurity.com/
Compatible Capability:
HP WebInspect Capability home page:
http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect-real-time/
General Capability Questions Product Accessibility
Provide a short description of how and where your capability is made available to your customers and the public(required):
HP产品可在客户的中下载HP Software Updatesportal. Additional information about the products is available on eitherwww.hpenterprisesecurity.com或者www.fortify.com或者download.hpsmartupdate.com/webinspect.
映射问题 地图货币指示
Describe how and where your capability indicates the most recent CWE content used to create or update its mappings(required):
HP Fortify products provide CWE mappings as well as other category/taxonomy information. HP Software Security Center provides out-of-the-box reports for CWE top 25 for years 2009 and 2010.
地图货币更新方法
表示您计划更新映射以反映当前的CWE内容的频率,并描述您在将其映射到存储库时与CWE内容保持合理最新的方法(recommended):
安全规则由Web安全研究小组每周(动态规则)更新。
地图货币更新时间
Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CWE content(required):
创建新的动态安全规则(通常每周发布)时,它们包括CWE标识符。由于CWE标识符超链接回到MITER网站,因此每当MITER发布更新时,都可以访问更新的内容。
文档问题 CWE AND COMPATIBILITY DOCUMENTATION
提供您的文档描述CWE和CWE兼容性的副本或指示的位置(required):
This information is available in the WebInspect product using the Policy Manager tool.
使用CWE标识符查找元素的文档
提供您的文档的副本或指示到其位置,描述了您的客户如何使用CWE标识符在您的功能存储库中找到单个安全元素的特定详细信息(必需的):
结果显示在HP Webinspect产品中,并使客户能够通过相关的CWE映射通过CWE和/或组问题进行搜索。
使用元素查找CWE标识符的文档
提供您的文档描述用户将遵循的过程的副本或指示,以查找与您功能存储库中个人安全元素相关的CWE标识符(required):
CWE映射报告的问题包含“建议”选项卡中的CWE信息,作为支持参考。此外,用户可以通过CWE分组问题,以更快地访问。
HP WebInspect includes the relevant CWE-ID for each vulnerability.
与CWE相关材料的文档索引
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site(recommended):
HP WebInspect能够通过CWE-ID进行搜索,并通过链接到MITER文档的链接阅读我们的漏洞描述。
特定于类型的功能问题
工具问题 FINDING TASKS USING CWE IDENTIFIERS
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier(required):
所有接口都可以通过CWE标识符对用户进行分组。
Users searching for issues relating to specific CWE Identifiers can locate issues using search criteria, such as: cwe:cwe id
使用HP WebInspect用户可以创建一组漏洞,以通过CWE编号检查或滤波特定CWE。
使用报告中的元素查找CWE标识符
给出详细的示例和解释,以说明如何确定单个安全元素的报告,该工具允许用户确定报告中各个安全元素的关联的CWE标识符(required):
CWE Identifiers are included when each vulnerability is identified. (See in the blue header.)
The CWE Identifier is included in reports along with a link to MITRE. (See under classifications.)
GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE
给出详细的示例和解释,说明用户如何获得所有者声称该工具有效定位软件的所有CWE标识符的列表(required):
您可以获取通过WebInspect中可用的策略管理器工具检查的CWE漏洞列表。
获取与任务相关的CWE标识符列表
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks(recommended):
您可以获取通过WebInspect中可用的策略管理器工具检查的CWE漏洞列表。
使用CWE标识符列表选择任务
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers(recommended):
If the user wanted to create a “policy” to check for certain CWE Identifiers, they would open the policy manager and “search by CWE” number and select the associated “rules”. They would repeat this for each CWE number. Once they’ve completed this process, they would select the created policy when they go through the scanning process.
SELECTING TASKS USING INDIVIDUAL CWE IDENTIFIERS
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CWE identifiers(recommended):
Same steps as <CR_A.2.7>, but they would only select a single CWE.
Media Questions ELECTRONIC DOCUMENT FORMAT INFO
提供有关您提供的不同电子文档格式的详细信息,并描述如何搜索它们与CWE相关的特定文本(required):
HP WebInspect supports exporting documents in XML and CSV. Both these formats include the CWE identifier for each vulnerability.
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS
If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element(required):
HP WebInspect supports an export format that includes vulnerability descriptions which include CWE ID, Name, and a link to the detailed MITRE content.
Graphical User Interface (GUI) Questions 使用CWE标识符查找在线功能任务
给用户提供“查找”或“搜索”功能如何使用“查找”或“搜索”功能的详细示例和说明,以通过查找其关联的CWE标识符或通过在线映射将功能的每个元素链接到其关联的在线映射来找到在线功能中的任务CWE标识符(required):
所有接口都可以通过CWE标识符对用户进行分组。
搜索与特定CWE标识符有关的问题的用户可以使用搜索条件来定位问题,例如:CWE:XX
In HP WebInspect you can group a list of vulnerabilities by their CWE-ID.
GUI ELEMENT TO CWE IDENTIFIER MAPPING
Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability's elements, also describe the format of the mapping(required):
HP Webinspect中的CWE信息
GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO
提供有关您提供的不同电子文档格式的详细信息(recommended):
CWE信息包含在HP WebInspect包含的两种导出格式中:XML和Comma分离值。
签名问题 兼容性
拥有授权的个人标志和日期以下兼容性声明(required):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
Name: Brian Miller
标题:产品经理
STATEMENT OF ACCURACY
Have an authorized individual sign and date the following accuracy Statement(recommended):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
Name: Brian Miller
标题:产品经理
关于falsepitions和false-sengatives 和/或的声明
仅对于工具和服务 - 具有授权的个人标志和日期,以下有关您的工具效率的说明,以识别安全元素(required):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
Name: Brian Miller
标题:产品经理
More information is available — Please select a different filter.
|
