Isolation or compartmentalization are just means or if you like techniques
to achieve the pursuied goal.

Kind regards,

Yacouba Bamba


Le ven. 1 juil. 2022, 06:57, Yacouba Bamba <deba...@gmail.com> a écrit :

> Hi
>
> There is no issue with the description imo.
> Proper "Isolation" can be achieved with very good "compartmentalization".
> If that is correct, I guess the main idea behind this is to strictly give
> access to available data and or ressource to only authorized users.
> "Distincts Environnements" for distincts users, hence, isolate
> "Environnements" from one another. To achieve this you'll use
> compartmentalization don't you ?
>
>
> Le mar. 28 juin 2022, 21:16, Rob Wissmann <rob.wissm...@nteligen.com> a
> écrit :
>
>> Hi,
>>
>>
>>
>> I have a comment about last October’s name change for CWE-653 from
>> “Insufficient Compartmentalization” to “Improper Isolation or
>> Compartmentalization”. The addition of “Isolation” alters the meaning of
>> the CWE in a way that I’m not sure was intended.
>>
>>
>>
>> Compartmentalization is strictly about segmenting functionality or
>> resources such that privileges may be scoped to them, as described in the
>> notes section of CWE-653:
>>
>>
>>
>> There is a close association with CWE-250
>> <https://cwe.mitre.org/data/definitions/250.html> (Execution with
>> Unnecessary Privileges). CWE-653
>> <https://cwe.mitre.org/data/definitions/653.html> is about providing
>> separate components for each "privilege"; CWE-250
>> <https://cwe.mitre.org/data/definitions/250.html> is about ensuring that
>> each component has the least amount of privileges possible. In this
>> fashion, compartmentalization becomes one mechanism for reducing privileges.
>>
>>
>>
>> Isolation has a broader meaning than compartmentalization, it is
>> inclusive of the privilege set assigned to the component and centered
>> around particular types of privilege/access. For example, splitting
>> functionality into two processes is compartmentalization. Applying access
>> controls to ensure that only one process has database write access is an
>> example of isolation built on compartmentalization.
>>
>>
>>
>> “Compartmentalization” and “isolation” mean different things. The
>> addition of “Isolation” to the title of CWE-653 conflates the two, making
>> it seem like they are synonyms. The description also is worded as if the
>> two are interchangeable:
>>
>>
>>
>> The product does not properly compartmentalize or isolate functionality,
>> processes, or resources that require different privilege levels, rights, or
>> permissions.
>>
>>
>>
>> The title and description should be reverted to remove conflation of the
>> terms.
>>
>>
>>
>> Thank you,
>>
>> Rob Wissmann
>>
>

Reply via email to