Two people looking at monitor in an office. Ceritas logo

Developer Tools

National Vulnerability Database

  • The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

DBoM Project

  • The Digital Bill of Materials (DBoM) Consortium Linux Foundation project seeks to improve supply chain efficiency by enabling more effective attestation sharing among supply chain partners. DBoM Nodes enforce the policy structure established by the partners to an individual supply chain relationship.
  • DBOM GitHub.


  • CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. The specification supports SBOM, SaaSBOM, HBOM, OBOM, VDR and VEX.
  • Strategic direction of the specification is managed by the CycloneDX Core Working Group, is backed by the OWASP Foundation, and is supported by the global information security community.
  • CycloneDX GitHub.

SCITT – Supply Chain Integrity, Transparency, and Trust

  • The Supply Chain Integrity, Transparency, and Trust (SCITT) mailing list is a place to present, exchange, and discuss common practice, emerging mechanisms, and converging terminology in the domain of SCITT. This includes pointers to state-of-the art documents, leveraging existing IETF work, or requests for public review.
  • SCITT Github

GUAC – Graph for Understanding Artifact Composition 

  • Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

PACE – Posture Attribute Collection and Evaluation

  • Posture Attribute Collection and Evaluation (PACE) is an Open Cybersecurity Alliance (OCA) project. Posture assessment generally consists of understanding, for a given computing resource (or set of computing resources), software load, composition of that software load, patch levels, vulnerability (implied to be software vulnerability), and configuration state. Together, these attributes of a computing resource represent its cybersecurity posture.


  • STIX – Structured Threat Information Expression – Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.
  • TAXII -Trusted Automated Exchange of Intelligence Information – Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS. ​TAXII defines a RESTful API (a set of services and message exchanges) and a set of requirements for TAXII Clients and Servers.

Request Demo

Please enter your information and we will get back to you to schedule a demo.