Sorry for chiming in on this but isn't a weakness: A deficiency in a product or configuration that allows unintended behavior or access by an unauthorized entity ________________________________ From: Godsey, Charles M (Mike) <godse...@nationwide.com> Sent: Wednesday, July 20, 2022 3:05 PM To: Keith J Hill <kh...@mitre.org>; Alec J Summers <asumm...@mitre.org>; CAPEC Researcher Discussion <capec-research-list@mitre.org> Subject: RE: CWE/CAPEC Definitions
How about something like this: Weakness: A state or condition in a product that when subjected to certain condition(s) will fail. Thanks, Mike C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE Counter-Fraud Capability Leader Nationwide Insurance 3-23-201 Three Nationwide Plaza Columbus, OH 43215 Phone: 614.677.2528 Fax: 877.202.5001 Cell: 614.270.0887 The information contained in this e-mail message, including any attachments, is CONFIDENTIAL, and is intended only for the individual or entity named in this communication. If the reader of this message is not the intended recipient, or employee, or agent responsible for delivering it to the intended recipient, you are hereby notified that dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by e-mail and destroy all copies of the original message. Thank you. From: Keith J Hill <kh...@mitre.org> Sent: Wednesday, July 20, 2022 2:53 PM To: Alec J Summers <asumm...@mitre.org>; CAPEC Researcher Discussion <capec-research-list@mitre.org> Subject: [EXTERNAL] RE: CWE/CAPEC Definitions Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION before clicking on links, opening attachments, or responding. (Sender: asumm...@mitre.org<mailto:asumm...@mitre.org>) ________________________________ Thanks for the reminder Alec, I’m bothered by the Weakness definition, specifically “type of flaw or defect inserted...” because I think this presumes too much. I’m tossing this into the ring for consideration. It incorporates some of the ideas that others proposed. Weakness: A condition that under the right circumstances begins a process or combines with other weaknesses to cause a harm in a product or system. The key is that a weakness is a condition; it may include human and process flaws. A weakness begins or contribute to that chain of circumstances that results in a vulnerability/harm. Keith From: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>> Sent: Wednesday, July 20, 2022 2:39 PM To: CAPEC Researcher Discussion <capec-research-list@mitre.org<mailto:capec-research-list@mitre.org>> Subject: FW: CWE/CAPEC Definitions Just a soft follow-up and reminder that we are seeking comment from our CAPEC researcher community on the proposed definitions by next Tuesday, July 26. If you have already responded – thank you! Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™ From: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>> Date: Wednesday, July 13, 2022 at 1:08 PM To: CAPEC Researcher Discussion <capec-research-list@mitre.org<mailto:capec-research-list@mitre.org>> Subject: CWE/CAPEC Definitions Dear CAPEC Research Community, I hope this email finds you well. Over the past few months, the CWE/CAPEC User Experience Working Group has been working to modernize our programs through a variety of activities. One such activity is harmonizing the definitions on our sites for some of our key terminology including weakness, vulnerability, and attack pattern. As CWE and CAPEC were developed separately and on a different timeline, some of the terms are not defined similarly, and we want to address that. We are seeking feedback on our working definitions: Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors Attack Pattern The common approach and attributes related to the exploitation of a weakness, usually in cyber-enabled capabilities Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant community deliberation, and we are not looking to change it at this time. We are hoping to publish new, improved definitions on our websites at the end of the month. Please provide thoughts and comments by Tuesday, July 26. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
