Hi, My take on the weakness term; I would lie to emphasize that my preference is not to use the terms in one definition with the other, which creates a bit of confusion.
*Vulnerability* GOOD with the definition *Weakness* *Lack of Quality or State in the product lifecycle that, under the right conditions with likelihood initiates a sequence of events that can lead to defects in the products, systems, and software.* *Attack Pattern* GOOD with the definition Hope this help. thanks -- V/R, Alexander W. Miranda, Ph.D. awmira...@gmail.com On Fri, Jul 15, 2022 at 10:21 AM Gutman, Gregoriy (CTR) < gregoriy.gut...@associates.fema.dhs.gov> wrote: > Hello Alec, et al, > > > > Here is my attempt at definition improvement of weakness and attack > pattern. > > > > Weakness - *A flaw or defect overlooked during a product lifecycle that, > under the right conditions, could contribute to the introduction or exploit > of vulnerabilities in a range of products made by different vendors, not > limited to software* > > > > Attack Pattern - *The common approach and attributes related to the > exploitation of a weakness, primarily in software, by extension in computer > hardware and business logic* > > > > -- > > Greg Gutman (CTR), CISSP > > Email: gregoriy.gut...@associates.fema.dhs.gov > > > > *From:* Alec J Summers <asumm...@mitre.org> > *Sent:* Wednesday, July 13, 2022 1:09 PM > *To:* CAPEC Researcher Discussion <capec-research-list@mitre.org> > *Subject:* CWE/CAPEC Definitions > > > > *CAUTION:* This email originated from outside of DHS. DO NOT click links > or open attachments unless you recognize and/or trust the sender. Please > select the Phish Alert Report button on the top right of your screen to > report this email if it is unsolicited or suspicious in nature. > > > > Dear CAPEC Research Community, > > > > I hope this email finds you well. > > > > Over the past few months, the CWE/CAPEC User Experience Working Group has > been working to modernize our programs through a variety of activities. One > such activity is harmonizing the definitions on our sites for some of our > key terminology including weakness, vulnerability, and attack pattern. As > CWE and CAPEC were developed separately and on a different timeline, some > of the terms are not defined similarly, and we want to address that. > > > > We are seeking feedback on our working definitions: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could contribute to the introduction of > vulnerabilities in a range of products made by different vendors* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a > weakness, usually in cyber-enabled capabilities* > > > > *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after > significant community deliberation, and we are not looking to change it at > this time. > > > > We are hoping to publish new, improved definitions on our websites at the > end of the month. Please provide thoughts and comments by Tuesday, July 26. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > >
