Dear CWE/CAPEC Board Members,

Good afternoon! I hope the week is going well for you all.

During a recent CWE/CAPEC User Experience Working Group session, the topic of 
definitions came up – more specifically, the difficulty in agreeing on good 
ones and making sure they are understood by downstream users. It also reminded 
me of Pietro’s comment during our February meeting, I believe, on the 
importance of harmonious definitions for similar terms across the CVE and 
CWE/CAPEC sites. To that end, the team went ahead and did a quick document 
authorities search of our key terminology to start (i.e., vulnerability, 
weakness, attack pattern), and suggested the following:

Term
Definition
Authority
Authorities Doc
Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components. (not changed)
CVE
website
Weakness
A type of mistake made during the implementation, design, or other phases of a 
product lifecycle that, under the right conditions, could contribute to the 
introduction of vulnerabilities in a range of products made by different 
vendors.
n/a
edited from def on CWE wesbite
Attack Pattern
The common approach and attributes related to the exploitation of a known 
weakness type, usually in cyber-enabled capabilities
n/a
edited from def on CAPEC website


The full spreadsheet of definitions to compare is attached. The plan would be 
to unify the definitions according to the above across all our sites. Would 
love to hear your thoughts.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World™


Attachment: GAoB Glossary.xlsx
Description: GAoB Glossary.xlsx

Reply via email to