Red Hat adopted the following definition of a weakness a year or so ago. "A weakness is specifically the absence of a safeguard in an asset or process that provides a higher potential or frequency of a threat occurring, but does not meet the exploitability criteria for a vulnerability." We've also defined vulnerability much more broadly to include weaknesses as a subset "A weakness or absence of a safeguard in an asset that provides a higher potential or frequency of a threat occurring." We were running into differing opinions when we looked at each as separate and unique. The other factor we've called out internally is hardening. The key difference between a weakness and hardening for us is that a weakness is a direct factor in the potential and frequency vs hardening which are safeguards which prevent.
On Tue, May 24, 2022 at 12:49 PM Alec J Summers <asumm...@mitre.org> wrote: > Dear CWE/CAPEC Board Members, > > > > Good afternoon! I hope the week is going well for you all. > > > > During a recent CWE/CAPEC User Experience Working Group session, the topic > of definitions came up – more specifically, the difficulty in agreeing on > good ones and making sure they are understood by downstream users. It also > reminded me of Pietro’s comment during our February meeting, I believe, on > the importance of harmonious definitions for similar terms across the CVE > and CWE/CAPEC sites. To that end, the team went ahead and did a quick > document authorities search of our key terminology to start (i.e., > vulnerability, weakness, attack pattern), and suggested the following: > > > > *Term* > > *Definition* > > *Authority* > > *Authorities Doc* > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components. (not changed)* > > *CVE* > > *website* > > *Weakness* > > *A type of mistake made during the implementation, design, or other phases > of a product lifecycle that, under the right conditions, could contribute > to the introduction of vulnerabilities in a range of products made by > different vendors.* > > *n/a* > > *edited from def on CWE wesbite* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a known > weakness type, usually in cyber-enabled capabilities * > > *n/a* > > *edited from def on CAPEC website* > > > > > > The full spreadsheet of definitions to compare is attached. The plan would > be to unify the definitions according to the above across all our sites. > Would love to hear your thoughts. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > -- Jeremy West Red Hat Product Security Red Hat Massachusetts <https://www.redhat.com> 314 Littleton Rd jw...@redhat.com M: 9192686967 IM: hobbit <https://red.ht/sig>