I believe Karl Ackerman's definition for Weakness is better, but I would stop after behavior.
weakness: *A deficiency in a product or configuration that allows unintended behavior.* *Ofer Sheinkin* +972-50-7900400 o...@sheinkin.org On Wed, Jul 20, 2022 at 10:44 PM Karl Ackerman <karl.acker...@sophos.com> wrote: > Sorry for chiming in on this but isn't a > weakness: A deficiency in a product or configuration that allows > unintended behavior or access by an unauthorized entity > ------------------------------ > *From:* Godsey, Charles M (Mike) <godse...@nationwide.com> > *Sent:* Wednesday, July 20, 2022 3:05 PM > *To:* Keith J Hill <kh...@mitre.org>; Alec J Summers <asumm...@mitre.org>; > CAPEC Researcher Discussion <capec-research-list@mitre.org> > *Subject:* RE: CWE/CAPEC Definitions > > > How about something like this: > > > > Weakness: A state or condition in a product that when subjected to certain > condition(s) will fail. > > > > Thanks, > Mike > > C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE > Counter-Fraud Capability Leader > Nationwide Insurance 3-23-201 > Three Nationwide Plaza > Columbus, OH 43215 > Phone: 614.677.2528 > Fax: 877.202.5001 > Cell: 614.270.0887 > > The information contained in this e-mail message, including any > attachments, is CONFIDENTIAL, and is intended only for the individual or > entity named in this communication. If the reader of this message is not > the intended recipient, or employee, or agent responsible for delivering it > to the intended recipient, you are hereby notified that dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please immediately notify > the sender by e-mail and destroy all copies of the original message. Thank > you. > > > > *From:* Keith J Hill <kh...@mitre.org> > *Sent:* Wednesday, July 20, 2022 2:53 PM > *To:* Alec J Summers <asumm...@mitre.org>; CAPEC Researcher Discussion < > capec-research-list@mitre.org> > *Subject:* [EXTERNAL] RE: CWE/CAPEC Definitions > > > > *Nationwide Information Security Warning: **This is an **EXTERNAL* *email. > *Use *CAUTION* *before clicking on links, opening attachments, or > responding.* (*Sender:* asumm...@mitre.org) > ------------------------------ > > > > Thanks for the reminder Alec, > > > > I’m bothered by the Weakness definition, specifically “type of flaw or > defect inserted...” because I think this presumes too much. I’m tossing > this into the ring for consideration. It incorporates some of the ideas > that others proposed. > > > > *Weakness: A condition that under the right circumstances begins a process > or combines with other weaknesses to cause a harm in a product or system.* > > > > The key is that a weakness is a *condition*; it may include human and > process flaws. A weakness begins or contribute to that chain of > circumstances that results in a vulnerability/harm. > > > > Keith > > > > > > *From:* Alec J Summers <asumm...@mitre.org> > *Sent:* Wednesday, July 20, 2022 2:39 PM > *To:* CAPEC Researcher Discussion <capec-research-list@mitre.org> > *Subject:* FW: CWE/CAPEC Definitions > > > > Just a soft follow-up and reminder that we are seeking comment from our > CAPEC researcher community on the proposed definitions by next Tuesday, > July 26. If you have already responded – thank you! > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > > > > *From: *Alec J Summers <asumm...@mitre.org> > *Date: *Wednesday, July 13, 2022 at 1:08 PM > *To: *CAPEC Researcher Discussion <capec-research-list@mitre.org> > *Subject: *CWE/CAPEC Definitions > > Dear CAPEC Research Community, > > > > I hope this email finds you well. > > > > Over the past few months, the CWE/CAPEC User Experience Working Group has > been working to modernize our programs through a variety of activities. One > such activity is harmonizing the definitions on our sites for some of our > key terminology including weakness, vulnerability, and attack pattern. As > CWE and CAPEC were developed separately and on a different timeline, some > of the terms are not defined similarly, and we want to address that. > > > > We are seeking feedback on our working definitions: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could contribute to the introduction of > vulnerabilities in a range of products made by different vendors* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a > weakness, usually in cyber-enabled capabilities* > > > > *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after > significant community deliberation, and we are not looking to change it at > this time. > > > > We are hoping to publish new, improved definitions on our websites at the > end of the month. Please provide thoughts and comments by Tuesday, July 26. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > >
