One thing I'm noticing when I search the CWE database: It's a nightmare. Really bad. Like... is the keyword I want "identical", "shared", "reused"...
I've noticed Amazon products are basically SEO buzzword bingo: Wonder Space Soft Pit Balls, Chemical-Free Crush Proof Plastic Ocean Ball, BPA Free with No Smell, Safe for Toddler Ball Pit/ Kiddie Pool/ Indoor Baby Playpen I'm not saying we should go this far, but making CWE more searchable by including more keywords, or a search keywords field or something would sure help. In your case: “Compartmentalization” and “isolation” mean different things. Well, yes, probably, because they're different words. But what definitions are you using? Websters? OED? I think we should worry a LOT less about getting the perfect short/exact wording and more about descriptive titles and text that people can actually find and use. On Tue, Jun 28, 2022 at 1:16 PM Rob Wissmann <rob.wissm...@nteligen.com> wrote: > Hi, > > > > I have a comment about last October’s name change for CWE-653 from > “Insufficient Compartmentalization” to “Improper Isolation or > Compartmentalization”. The addition of “Isolation” alters the meaning of > the CWE in a way that I’m not sure was intended. > > > > Compartmentalization is strictly about segmenting functionality or > resources such that privileges may be scoped to them, as described in the > notes section of CWE-653: > > > > There is a close association with CWE-250 > <https://cwe.mitre.org/data/definitions/250.html> (Execution with > Unnecessary Privileges). CWE-653 > <https://cwe.mitre.org/data/definitions/653.html> is about providing > separate components for each "privilege"; CWE-250 > <https://cwe.mitre.org/data/definitions/250.html> is about ensuring that > each component has the least amount of privileges possible. In this > fashion, compartmentalization becomes one mechanism for reducing privileges. > > > > Isolation has a broader meaning than compartmentalization, it is inclusive > of the privilege set assigned to the component and centered around > particular types of privilege/access. For example, splitting functionality > into two processes is compartmentalization. Applying access controls to > ensure that only one process has database write access is an example of > isolation built on compartmentalization. > > > > “Compartmentalization” and “isolation” mean different things. The addition > of “Isolation” to the title of CWE-653 conflates the two, making it seem > like they are synonyms. The description also is worded as if the two are > interchangeable: > > > > The product does not properly compartmentalize or isolate functionality, > processes, or resources that require different privilege levels, rights, or > permissions. > > > > The title and description should be reverted to remove conflation of the > terms. > > > > Thank you, > > Rob Wissmann > -- Kurt Seifried (He/Him) k...@seifried.org
