Dear CAPEC Community, Earlier this summer I emailed you regarding the CWE/CAPEC User Experience Working Group’s efforts to harmonize the definitions of some key terminology across our sites. As CWE and CAPEC were developed separately and on a different timeline, some of the terms are not similarly defined, and we want to address that.
Thank you for your thoughtful and considered feedback to my first request for comment on this topic. We received the most feedback on the definition of “weakness”. The UEWG and the CWE/CAPEC team has used that in our development of a new definition: Weakness: A condition in a software, firmware, hardware, or service component that, under the right circumstances, could contribute to the introduction of vulnerabilities If adopted, this would be accompanied by the following two definitions for ‘attack pattern’ and ‘vulnerability’, respectively. Attack Pattern: The common approach and attributes related to the exploitation of a weakness, usually in cyber-enabled capabilities Vulnerability: A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components. (from CVE® and not in consideration for modification) We are eager to hear your thoughts, and we look forward to formalizing this change on our sites soon. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™