To me, there are gems in many of the comments on this, and I beg your 
indulgence as I attempt to put them together here.

I realize we don’t want to touch vulnerability, but if “resulting from a 
weakness” were removed (and I believe it is superfluous), it would solve the 
problem of circular definitions.  Anyway, that can always be left for another 

Addressing the definition of weakness:

I agree with Rob Wissman’s point that “flaw” is not ideal because features that 
are recognized weaknesses today were not always so.  We could be more generic 
by using something like “element.”  I also like most of what Jim Whitmore said 
below, but I think attacks are enabled by vulnerabilities, not weaknesses 
(vulnerabilities are enabled by weaknesses).  So I’m thinking this might be a 
reasonably generic, futureproof definition:

Weakness: An element, misconfiguration or oversight in a technology’s design, 
integration or operation that may cause vulnerabilities to arise.

It seems necessary to me to reference vulnerabilities in the definition of 
weakness, because they are the “concrete instances” of weaknesses.  On the 
other hand, if we go down the path of removing that, it might be nice to 
replace “that may cause …” with something like “that may cause insecure 
operating conditions (i.e. conditions not intended by its designers or 
legitimate users).”  The parenthetical is needed only if we feel the need to 
define “insecure.”

Great discussion,

From: Jim <>
Sent: Friday, July 15, 2022 8:34 AM
To: Alec J Summers <>
Subject: Re: CWE/CAPEC Definitions

I did not copy everyone on my response…

Jim Whitmore

On Jul 15, 2022, at 10:20 AM, Jim Whitmore 
<<>> wrote:

Alec, thanks for the note. These terms overlap and are sometimes the source of 
confusion. I have been working with these resources for several years. My 
observation is that the CWE definition is is not exactly what the data is, and 
CAPEC definition could be less obtuse.

In my mind...

CAPEC is a catalog of attack patterns where an attack pattern is a behavior and 
exploit associated with actions by bad actors and/or malware.

CWE is a catalog of descriptions of weaknesses, where a weakness is a 
technology flaw, misconfiguration or oversight in design, integration and 
operation that enable attacks by bad actors and malware or lead to unexpected 
operating conditions.

The problem I see is that current CWE catalog only covers a subset of types of 
weaknesses associated with technology (hardware and software). What I mean is 
that CAPEC identifies attacks behaviors and exploits that have no corresponding 
CWE.  This is true for about 25% of the CAPEC entries. Analyzing the 25% of 
CAPEC entries, reveals that these CAPEC entries are "enabled" by (a) abuses of 
normal function, (b) weaknesses in human behavior, (c) etc.

Also, I suggest that CVE should be referenced as a catalog of instances of CWEs.

I am happy to discuss further.

Jim Whitmore

On 07/13/2022 1:08 PM Alec J Summers 
<<>> wrote:

Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.


Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
MITRE - Solving Problems for a Safer World™

Reply via email to