Name of Your Organization:
High-Tech Bridge SA
网站:
http://www.htbridge.com/
兼容功能:
免疫网络 功能主页:
https://www.htbridge.com/immuniweb/
General Capability Questions 产品可访问性
Provide a short description of how and where your capability is made available to your customers and the public(required):
ImmuniWeb可在Immuniweb门户网站上公开使用https://portal.htbridge.com, for any person who has a web browser and connection to the Internet.
Mapping Questions 地图货币指示
描述您的功能指示最新的CWE内容用于创建或更新其映射的方法(required):
免疫WEB安全评估完成后,客户以PDF格式收到评估报告。在报告中,所有检测到的漏洞都以各种技术字段的表格格式呈现。所有漏洞无例子都有以下字段:
脆弱性CWE-ID:CWE-id-Here
该字段可单击,并导致我们CWE漏洞表的适当部分。
例如,SQL注入漏洞(CWE-89)将在这里指向:https://www.htbridge.com/vulnerability/sql-injection.html
Cross-Site Scripting (XSS) vulnerability (CWE-79) will point here:https://www.htbridge.com/vulnerability/cross-site-scripting.html
These pages are also accessible by short aliases:
https://www.htbridge.com/CWE-89
https://www.htbridge.com/CWE-79
Map Currency Update Approach
表示您计划更新映射以反映当前的CWE内容的频率,并描述您在将其映射到存储库时与CWE内容保持合理最新的方法(recommended):
免疫网络安全评估过程由高科技桥梁安全审计师管理,因此,在添加到ImmuniWeb报告中之前,正在手动验证和验证每个漏洞。
Such QA procedure assures accuracy of the security assessment report and makes report update mechanism useless.
地图货币更新时间
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CWE content(required):
请参考。
文档问题 CWE AND COMPATIBILITY DOCUMENTATION
提供您的文档描述CWE和CWE兼容性的副本或指示的位置(required):
We believe that the best and the most appropriate resource with CWE documentation that can provide our customers with the most complete, accurate and latest information about CWE — is the official CWE website. Each ImmuniWeb security assessment report contains a hyperlink to it.
CWE兼容性将在Immuniweb网页上进行描述,https://www.htbridge.com/immuniweb/, also providing links to the official CWE website.
Nevertheless, we develop, support and regularly update CWE Vulnerability Glossary,https://www.htbridge.com/vulnerability/,其中包含有关免疫网络检测到的每个CWE-ID的详细信息。
每个CWE词汇表条目通常包括以下各节:
- 描述
- Potential impact
- 攻击模式
- 受影响的软件
- Exploitation Examples
- 严重性和CVSS得分
- 缓解
- 脆弱性修复技术和示例
- 参考
- Latest Related HTB Security Advisories
The last section contains numerous examples from High-Tech Bridge Security Research Lab,https://www.htbridge.com/advisory/, which is also CWE-Compatible since 2012.
使用CWE标识符查找元素的文档
提供您的文档的副本或指示到其位置,描述了您的客户如何使用CWE标识符在您的功能存储库中找到单个安全元素的特定详细信息(必需的):
As already mentioned above, ImmuniWeb security assessment report in delivered in PDF format. ImmuniWeb customers can use default built-in Adobe Reader (or any other PDF document reading software) search function to search vulnerabilities in the report by CWE-ID. This feature is obvious and does not require specific documentation.
DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability’s repository(required):
Same answer as in .
特定于类型的功能问题
Service Questions FINDING TASKS USING CWE IDENTIFIERS
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier(required):
免疫网络安全评估报告中的每个漏洞都在具有以下字段的表中列出:
- CVE-ID
- CWE-ID
- CVSSv2 Base Score
这些字段明显由ImmuniWeb进行了哪些安全测试。
A complete list of detectable security vulnerabilities is available on ImmuniWeb webpage,https://www.htbridge.com/immuniweb/technical-pecification.html#detected_vulnerabilities, where they are classified by CWE-ID.
FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS
给出详细的示例和解释,以说明如何确定单个安全元素的报告,该工具允许用户确定报告中各个安全元素的关联的CWE标识符(required):
在每个检测到的安全漏洞的ImmuniWeb安全评估报告中,表中包含CWE-ID的名为“漏洞CWE-ID”的字段。有关更多详细信息,请参见。
获取声称的CWE标识符覆盖范围
Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software(required):
All the CWE-IDs that ImmuniWeb SaaS detects are publicly available on ImmuniWeb web page:https://www.htbridge.com/immuniweb/technical-pecification.html#detected_vulnerabilities。
请看
有关我们的CWE漏洞表的更多信息,其中包含IMMUNIWEB检测到的每个CWE-ID的详细说明。
Media Questions 电子文档格式信息
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text(required):
免疫网络安全评估报告仅以PDF格式提供。
PDF文档阅读软件的内置搜索功能可以轻松地用于通过特定的CWE-ID搜索漏洞。
ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element(required):
免疫网络report is well structured, and each table with vulnerability description is located on a separate page of the PDF document. As already mentioned above, each vulnerability description is presented in a table format that always contain highly visible "Vulnerability CWE-ID" field that also contains a hyperlink to our CWE Vulnerability Glossary.
Graphical User Interface (GUI) Questions 通过GUI 使用CWE标识符查找元素
给出详细的示例和解释GUI如何为用户提供“查找”或“搜索”功能,以通过寻找其关联的CWE标识符来识别您的功能元素(required):
这取决于用户用来读取以PDF格式交付的免疫网络安全评估报告的软件。
For Adobe Reader it’s enough just to press "CTRL+F" key combination to get a search input box, which can be used to search vulnerabilities by CWE-ID or any other search parameter.
GUI元素到CWE标识符映射
简要描述如何为单个安全元素列出相关的CWE标识符,或讨论用户如何使用CWE标识符和功能元素之间的映射,还描述了映射的格式(required):
该问题在中的详细信息中得到了回答。
Questions for Signature STATEMENT OF COMPATIBILITY
拥有授权的个人标志和日期以下兼容性声明(required):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
姓名:Ilia Kolochenko
Title: CEO
STATEMENT OF ACCURACY
拥有授权的个人标志和日期,以下准确性声明(recommended):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
姓名:Ilia Kolochenko
Title: CEO
STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES and/or
FOR TOOLS AND SERVICES ONLY — Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements(required):
“作为我组织的授权代表,我同意我们将遵守所有强制性的CWE兼容性要求以及适合我们特定类型能力的所有其他强制性CWE兼容性要求。”
姓名:Ilia Kolochenko
Title: CEO
|
