All, I enjoyed these definitions and the opportunity to provide input. My thoughts are below.
* Weakness - A flaw or defect overlooked during a product lifecycle that, under the right conditions, could contribute to the introduction or exploit of vulnerabilities in a range of products made by different vendors, not limited to software * Attack Pattern - The common approach and attributes related to the exploitation of a weakness or vulnerability, primarily in software, by extension in computer hardware and business logic Thanks, Ed Edwin Covert, CISSP-ISSAP, CISM, CRISC, SCF, PMP Director, Risk Assessments and Testing - WarnerMedia Kristy McCormac<mailto:kristy.mccor...@warnerbros.com> manages my calendar 818-977-4769 wbd.com [Warner Bros. Discovery] Public Key gpg --search-keys --keyserver keys.openpgp.org ed.cov...@warnerbros.com<mailto:ed.cov...@warnerbros.com> Please note: While I may send an email outside of traditional working hours, I do NOT expect a response outside of your own. From: Gutman, Gregoriy (CTR) <gregoriy.gut...@associates.fema.dhs.gov> Date: Friday, July 15, 2022 at 7:20 AM To: Alec J Summers <asumm...@mitre.org>, CAPEC Researcher Discussion <capec-research-list@mitre.org> Subject: RE: CWE/CAPEC Definitions [CAUTION] This email originated outside Warner Bros. Hello Alec, et al, Here is my attempt at definition improvement of weakness and attack pattern. Weakness - A flaw or defect overlooked during a product lifecycle that, under the right conditions, could contribute to the introduction or exploit of vulnerabilities in a range of products made by different vendors, not limited to software Attack Pattern - The common approach and attributes related to the exploitation of a weakness, primarily in software, by extension in computer hardware and business logic -- Greg Gutman (CTR), CISSP Email: gregoriy.gut...@associates.fema.dhs.gov<mailto:gregoriy.gut...@associates.fema.dhs.gov> From: Alec J Summers <asumm...@mitre.org> Sent: Wednesday, July 13, 2022 1:09 PM To: CAPEC Researcher Discussion <capec-research-list@mitre.org> Subject: CWE/CAPEC Definitions CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Please select the Phish Alert Report button on the top right of your screen to report this email if it is unsolicited or suspicious in nature. Dear CAPEC Research Community, I hope this email finds you well. Over the past few months, the CWE/CAPEC User Experience Working Group has been working to modernize our programs through a variety of activities. One such activity is harmonizing the definitions on our sites for some of our key terminology including weakness, vulnerability, and attack pattern. As CWE and CAPEC were developed separately and on a different timeline, some of the terms are not defined similarly, and we want to address that. We are seeking feedback on our working definitions: Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors Attack Pattern The common approach and attributes related to the exploitation of a weakness, usually in cyber-enabled capabilities Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant community deliberation, and we are not looking to change it at this time. We are hoping to publish new, improved definitions on our websites at the end of the month. Please provide thoughts and comments by Tuesday, July 26. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
