Hi,

I have a comment about last October's name change for CWE-653 from 
"Insufficient Compartmentalization" to "Improper Isolation or 
Compartmentalization". The addition of "Isolation" alters the meaning of the 
CWE in a way that I'm not sure was intended.

Compartmentalization is strictly about segmenting functionality or resources 
such that privileges may be scoped to them, as described in the notes section 
of CWE-653:


There is a close association with 
CWE-250<https://cwe.mitre.org/data/definitions/250.html> (Execution with 
Unnecessary Privileges). 
CWE-653<https://cwe.mitre.org/data/definitions/653.html> is about providing 
separate components for each "privilege"; 
CWE-250<https://cwe.mitre.org/data/definitions/250.html> is about ensuring that 
each component has the least amount of privileges possible. In this fashion, 
compartmentalization becomes one mechanism for reducing privileges.

Isolation has a broader meaning than compartmentalization, it is inclusive of 
the privilege set assigned to the component and centered around particular 
types of privilege/access. For example, splitting functionality into two 
processes is compartmentalization. Applying access controls to ensure that only 
one process has database write access is an example of isolation built on 
compartmentalization.

"Compartmentalization" and "isolation" mean different things. The addition of 
"Isolation" to the title of CWE-653 conflates the two, making it seem like they 
are synonyms. The description also is worded as if the two are interchangeable:


The product does not properly compartmentalize or isolate functionality, 
processes, or resources that require different privilege levels, rights, or 
permissions.

The title and description should be reverted to remove conflation of the terms.

Thank you,
Rob Wissmann

Reply via email to