I did not copy everyone on my response… Jim Whitmore
> On Jul 15, 2022, at 10:20 AM, Jim Whitmore <jj-whitm...@comcast.net> wrote: > > > Alec, thanks for the note. These terms overlap and are sometimes the source > of confusion. I have been working with these resources for several years. My > observation is that the CWE definition is is not exactly what the data is, > and CAPEC definition could be less obtuse. > > In my mind... > > CAPEC is a catalog of attack patterns where an attack pattern is a behavior > and exploit associated with actions by bad actors and/or malware. > > CWE is a catalog of descriptions of weaknesses, where a weakness is a > technology flaw, misconfiguration or oversight in design, integration and > operation that enable attacks by bad actors and malware or lead to unexpected > operating conditions. > > The problem I see is that current CWE catalog only covers a subset of types > of weaknesses associated with technology (hardware and software). What I mean > is that CAPEC identifies attacks behaviors and exploits that have no > corresponding CWE. This is true for about 25% of the CAPEC entries. > Analyzing the 25% of CAPEC entries, reveals that these CAPEC entries are > "enabled" by (a) abuses of normal function, (b) weaknesses in human behavior, > (c) etc. > > Also, I suggest that CVE should be referenced as a catalog of instances of > CWEs. > > I am happy to discuss further. > > Jim Whitmore > > >> On 07/13/2022 1:08 PM Alec J Summers <asumm...@mitre.org> wrote: >> >> >> Dear CAPEC Research Community, >> >> >> >> I hope this email finds you well. >> >> >> >> Over the past few months, the CWE/CAPEC User Experience Working Group has >> been working to modernize our programs through a variety of activities. One >> such activity is harmonizing the definitions on our sites for some of our >> key terminology including weakness, vulnerability, and attack pattern. As >> CWE and CAPEC were developed separately and on a different timeline, some of >> the terms are not defined similarly, and we want to address that. >> >> >> >> We are seeking feedback on our working definitions: >> >> >> >> Vulnerability >> >> A flaw in a software, firmware, hardware, or service component resulting >> from a weakness that can be exploited, causing a negative impact to the >> confidentiality, integrity, or availability of an impacted component or >> components (from CVE®) >> >> Weakness >> >> A type of flaw or defect inserted during a product lifecycle that, under the >> right conditions, could contribute to the introduction of vulnerabilities in >> a range of products made by different vendors >> >> Attack Pattern >> >> The common approach and attributes related to the exploitation of a >> weakness, usually in cyber-enabled capabilities >> >> >> >> Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant >> community deliberation, and we are not looking to change it at this time. >> >> >> >> We are hoping to publish new, improved definitions on our websites at the >> end of the month. Please provide thoughts and comments by Tuesday, July 26. >> >> >> >> Cheers, >> >> Alec >> >> >> >> -- >> >> Alec J. Summers >> >> Center for Securing the Homeland (CSH) >> >> Cyber Security Engineer, Principal >> >> Group Lead, Cybersecurity Operations and Integration >> >> –––––––––––––––––––––––––––––––––––– >> >> MITRE - Solving Problems for a Safer World™ >> >> >> >>
