Dear CWE/CAPEC Board Members, Good afternoon! I hope the week is going well for you all.
During a recent CWE/CAPEC User Experience Working Group session, the topic of definitions came up – more specifically, the difficulty in agreeing on good ones and making sure they are understood by downstream users. It also reminded me of Pietro’s comment during our February meeting, I believe, on the importance of harmonious definitions for similar terms across the CVE and CWE/CAPEC sites. To that end, the team went ahead and did a quick document authorities search of our key terminology to start (i.e., vulnerability, weakness, attack pattern), and suggested the following: Term Definition Authority Authorities Doc Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components. (not changed) CVE website Weakness A type of mistake made during the implementation, design, or other phases of a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors. n/a edited from def on CWE wesbite Attack Pattern The common approach and attributes related to the exploitation of a known weakness type, usually in cyber-enabled capabilities n/a edited from def on CAPEC website The full spreadsheet of definitions to compare is attached. The plan would be to unify the definitions according to the above across all our sites. Would love to hear your thoughts. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
GAoB Glossary.xlsx
Description: GAoB Glossary.xlsx