I know the deadline has passed, and I provided extemporaneous comments earlier.
I came across a lecture I put together years ago with a reference that I thought is relevant to the discussion. The Common Criteria standard has definitions for vulnerabilities. See pg 30 of CC General Model https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf. I feel it is important to use authoritative references when possible. Regards, Jim Whitmore Sent from my iPhone > On Jul 26, 2022, at 8:05 PM, Maldonado Rosado, Shadya Beatriz > <sbma...@sandia.gov> wrote: > > > Just a soft follow-up and reminder that we are seeking comment from our CAPEC > and CWE researcher communities on the proposed definitions by 10 PM EST > tonight. If you have already responded – thank you! > > Cheers, > > Shadya > Co-Chair, CWE/CAPEC User Experience Working Group > > > ________________________________________________ > Shadya B. Maldonado Rosado > Cybersecurity Engineer, Principal | Energy Security | 8851 > Sandia National Laboratories > Pronouns: she/her > > > From: Ofer Sheinkin <o...@sheinkin.org> > Sent: Wednesday, July 20, 2022 11:08 PM > To: CAPEC Researcher Discussion <capec-research-list@mitre.org> > Cc: Godsey, Charles M (Mike) <godse...@nationwide.com>; Keith J Hill > <kh...@mitre.org>; Alec J Summers <asumm...@mitre.org>; Karl Ackerman > <karl.acker...@sophos.com> > Subject: [EXTERNAL] Re: CWE/CAPEC Definitions > > I believe Karl Ackerman's definition for Weakness is better, but I would stop > after behavior. > > weakness: A deficiency in a product or configuration that allows unintended > behavior. > > Ofer Sheinkin > +972-50-7900400 > o...@sheinkin.org > > > > > On Wed, Jul 20, 2022 at 10:44 PM Karl Ackerman <karl.acker...@sophos.com> > wrote: > Sorry for chiming in on this but isn't a > weakness: A deficiency in a product or configuration that allows unintended > behavior or access by an unauthorized entity > From: Godsey, Charles M (Mike) <godse...@nationwide.com> > Sent: Wednesday, July 20, 2022 3:05 PM > To: Keith J Hill <kh...@mitre.org>; Alec J Summers <asumm...@mitre.org>; > CAPEC Researcher Discussion <capec-research-list@mitre.org> > Subject: RE: CWE/CAPEC Definitions > > How about something like this: > > > > Weakness: A state or condition in a product that when subjected to certain > condition(s) will fail. > > > > Thanks, > Mike > > C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE > Counter-Fraud Capability Leader > Nationwide Insurance 3-23-201 > Three Nationwide Plaza > Columbus, OH 43215 > Phone: 614.677.2528 > Fax: 877.202.5001 > Cell: 614.270.0887 > > The information contained in this e-mail message, including any attachments, > is CONFIDENTIAL, and is intended only for the individual or entity named in > this communication. If the reader of this message is not the intended > recipient, or employee, or agent responsible for delivering it to the > intended recipient, you are hereby notified that dissemination, distribution, > or copying of this communication is strictly prohibited. If you have > received this communication in error, please immediately notify the sender by > e-mail and destroy all copies of the original message. Thank you. > > > > From: Keith J Hill <kh...@mitre.org> > Sent: Wednesday, July 20, 2022 2:53 PM > To: Alec J Summers <asumm...@mitre.org>; CAPEC Researcher Discussion > <capec-research-list@mitre.org> > Subject: [EXTERNAL] RE: CWE/CAPEC Definitions > > > > Nationwide Information Security Warning: This is an EXTERNAL email. Use > CAUTION before clicking on links, opening attachments, or responding. > (Sender: asumm...@mitre.org) > > > > Thanks for the reminder Alec, > > > > I’m bothered by the Weakness definition, specifically “type of flaw or defect > inserted...” because I think this presumes too much. I’m tossing this into > the ring for consideration. It incorporates some of the ideas that others > proposed. > > > > Weakness: A condition that under the right circumstances begins a process or > combines with other weaknesses to cause a harm in a product or system. > > > > The key is that a weakness is a condition; it may include human and process > flaws. A weakness begins or contribute to that chain of circumstances that > results in a vulnerability/harm. > > > > Keith > > > > > > From: Alec J Summers <asumm...@mitre.org> > Sent: Wednesday, July 20, 2022 2:39 PM > To: CAPEC Researcher Discussion <capec-research-list@mitre.org> > Subject: FW: CWE/CAPEC Definitions > > > > Just a soft follow-up and reminder that we are seeking comment from our CAPEC > researcher community on the proposed definitions by next Tuesday, July 26. If > you have already responded – thank you! > > > > Cheers, > > Alec > > > > -- > > Alec J. Summers > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > –––––––––––––––––––––––––––––––––––– > > MITRE - Solving Problems for a Safer World™ > > > > > > > > From: Alec J Summers <asumm...@mitre.org> > Date: Wednesday, July 13, 2022 at 1:08 PM > To: CAPEC Researcher Discussion <capec-research-list@mitre.org> > Subject: CWE/CAPEC Definitions > > Dear CAPEC Research Community, > > > > I hope this email finds you well. > > > > Over the past few months, the CWE/CAPEC User Experience Working Group has > been working to modernize our programs through a variety of activities. One > such activity is harmonizing the definitions on our sites for some of our key > terminology including weakness, vulnerability, and attack pattern. As CWE and > CAPEC were developed separately and on a different timeline, some of the > terms are not defined similarly, and we want to address that. > > > > We are seeking feedback on our working definitions: > > > > Vulnerability > > A flaw in a software, firmware, hardware, or service component resulting from > a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®) > > Weakness > > A type of flaw or defect inserted during a product lifecycle that, under the > right conditions, could contribute to the introduction of vulnerabilities in > a range of products made by different vendors > > Attack Pattern > > The common approach and attributes related to the exploitation of a weakness, > usually in cyber-enabled capabilities > > > > Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant > community deliberation, and we are not looking to change it at this time. > > > > We are hoping to publish new, improved definitions on our websites at the end > of the month. Please provide thoughts and comments by Tuesday, July 26. > > > > Cheers, > > Alec > > > > -- > > Alec J. Summers > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > –––––––––––––––––––––––––––––––––––– > > MITRE - Solving Problems for a Safer World™ > > > >
