Jeremy, welcome!

I like the idea of defining a weakness wrt to a protection for an asset.
The protection could have weaknesses because of mistakes, forgetfulness, or
any other reason (e.g. environment). An asset-based definition fits really
well for hardware and I think for a lot of software, but I'm wondering if
that generalizes completely to all software?

On Tue, May 24, 2022 at 1:15 PM Jeremy West <jw...@redhat.com> wrote:

> Red Hat adopted the following definition of a weakness a year or so ago. "A
> weakness is specifically the absence of a safeguard in an asset or process
> that provides a higher potential or frequency of a threat occurring, but
> does not meet the exploitability criteria for a vulnerability."  We've also
> defined vulnerability much more broadly to include weaknesses as a subset
> "A weakness or absence of a safeguard in an asset that provides a higher
> potential or frequency of a threat occurring."  We were running into
> differing opinions when we looked at each as separate and unique.  The
> other factor we've called out internally is hardening.  The key difference
> between a weakness and hardening for us is that a weakness is a direct
> factor in the potential and frequency vs hardening which are safeguards
> which prevent.
>
> On Tue, May 24, 2022 at 12:49 PM Alec J Summers <asumm...@mitre.org>
> wrote:
>
>> Dear CWE/CAPEC Board Members,
>>
>>
>>
>> Good afternoon! I hope the week is going well for you all.
>>
>>
>>
>> During a recent CWE/CAPEC User Experience Working Group session, the
>> topic of definitions came up – more specifically, the difficulty in
>> agreeing on good ones and making sure they are understood by downstream
>> users. It also reminded me of Pietro’s comment during our February meeting,
>> I believe, on the importance of harmonious definitions for similar terms
>> across the CVE and CWE/CAPEC sites. To that end, the team went ahead and
>> did a quick document authorities search of our key terminology to start
>> (i.e., vulnerability, weakness, attack pattern), and suggested the
>> following:
>>
>>
>>
>> *Term*
>>
>> *Definition*
>>
>> *Authority*
>>
>> *Authorities Doc*
>>
>> *Vulnerability*
>>
>> *A flaw in a software, firmware, hardware, or service component resulting
>> from a weakness that can be exploited, causing a negative impact to the
>> confidentiality, integrity, or availability of an impacted component or
>> components. (not changed)*
>>
>> *CVE*
>>
>> *website*
>>
>> *Weakness*
>>
>> *A type of mistake made during the implementation, design, or other
>> phases of a product lifecycle that, under the right conditions, could
>> contribute to the introduction of vulnerabilities in a range of products
>> made by different vendors.*
>>
>> *n/a*
>>
>> *edited from def on CWE wesbite*
>>
>> *Attack Pattern*
>>
>> *The common approach and attributes related to the exploitation of a
>> known weakness type, usually in cyber-enabled capabilities *
>>
>> *n/a*
>>
>> *edited from def on CAPEC website*
>>
>>
>>
>>
>>
>> The full spreadsheet of definitions to compare is attached. The plan
>> would be to unify the definitions according to the above across all our
>> sites. Would love to hear your thoughts.
>>
>>
>>
>> Cheers,
>>
>> Alec
>>
>>
>>
>> --
>>
>> *Alec J. Summers*
>>
>> Center for Securing the Homeland (CSH)
>>
>> Cyber Security Engineer, Principal
>>
>> Group Lead, Cybersecurity Operations and Integration
>>
>> *––––––––––––––––––––––––––––––––––––*
>>
>> *MITRE - Solving Problems for a Safer World™*
>>
>>
>>
>>
>>
>
>
> --
>
> Jeremy West
>
> Red Hat Product Security
>
> Red Hat Massachusetts <https://www.redhat.com>
>
> 314 Littleton Rd
>
> jw...@redhat.com
> M: 9192686967     IM: hobbit
> <https://red.ht/sig>
>
>
>
>


-- 


Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604

Tortuga Logic <http://www.tortugalogic.com/>  |  75 E Santa Clara Street,
San Jose, CA 95113


NOTICE TO RECIPIENT | This email and any attachments may contain private,
confidential and privileged material for the sole use of the intended
recipient. If you are not the intended recipient, please immediately notify
the sender of the error by return email and delete this email and any
attachments.

Reply via email to