Hi There is no issue with the description imo. Proper "Isolation" can be achieved with very good "compartmentalization". If that is correct, I guess the main idea behind this is to strictly give access to available data and or ressource to only authorized users. "Distincts Environnements" for distincts users, hence, isolate "Environnements" from one another. To achieve this you'll use compartmentalization don't you ?
Le mar. 28 juin 2022, 21:16, Rob Wissmann <rob.wissm...@nteligen.com> a écrit : > Hi, > > > > I have a comment about last October’s name change for CWE-653 from > “Insufficient Compartmentalization” to “Improper Isolation or > Compartmentalization”. The addition of “Isolation” alters the meaning of > the CWE in a way that I’m not sure was intended. > > > > Compartmentalization is strictly about segmenting functionality or > resources such that privileges may be scoped to them, as described in the > notes section of CWE-653: > > > > There is a close association with CWE-250 > <https://cwe.mitre.org/data/definitions/250.html> (Execution with > Unnecessary Privileges). CWE-653 > <https://cwe.mitre.org/data/definitions/653.html> is about providing > separate components for each "privilege"; CWE-250 > <https://cwe.mitre.org/data/definitions/250.html> is about ensuring that > each component has the least amount of privileges possible. In this > fashion, compartmentalization becomes one mechanism for reducing privileges. > > > > Isolation has a broader meaning than compartmentalization, it is inclusive > of the privilege set assigned to the component and centered around > particular types of privilege/access. For example, splitting functionality > into two processes is compartmentalization. Applying access controls to > ensure that only one process has database write access is an example of > isolation built on compartmentalization. > > > > “Compartmentalization” and “isolation” mean different things. The addition > of “Isolation” to the title of CWE-653 conflates the two, making it seem > like they are synonyms. The description also is worded as if the two are > interchangeable: > > > > The product does not properly compartmentalize or isolate functionality, > processes, or resources that require different privilege levels, rights, or > permissions. > > > > The title and description should be reverted to remove conflation of the > terms. > > > > Thank you, > > Rob Wissmann >
