Isolation or compartmentalization are just means or if you like techniques to achieve the pursuied goal.
Kind regards, Yacouba Bamba Le ven. 1 juil. 2022, 06:57, Yacouba Bamba <deba...@gmail.com> a écrit : > Hi > > There is no issue with the description imo. > Proper "Isolation" can be achieved with very good "compartmentalization". > If that is correct, I guess the main idea behind this is to strictly give > access to available data and or ressource to only authorized users. > "Distincts Environnements" for distincts users, hence, isolate > "Environnements" from one another. To achieve this you'll use > compartmentalization don't you ? > > > Le mar. 28 juin 2022, 21:16, Rob Wissmann <rob.wissm...@nteligen.com> a > écrit : > >> Hi, >> >> >> >> I have a comment about last October’s name change for CWE-653 from >> “Insufficient Compartmentalization” to “Improper Isolation or >> Compartmentalization”. The addition of “Isolation” alters the meaning of >> the CWE in a way that I’m not sure was intended. >> >> >> >> Compartmentalization is strictly about segmenting functionality or >> resources such that privileges may be scoped to them, as described in the >> notes section of CWE-653: >> >> >> >> There is a close association with CWE-250 >> <https://cwe.mitre.org/data/definitions/250.html> (Execution with >> Unnecessary Privileges). CWE-653 >> <https://cwe.mitre.org/data/definitions/653.html> is about providing >> separate components for each "privilege"; CWE-250 >> <https://cwe.mitre.org/data/definitions/250.html> is about ensuring that >> each component has the least amount of privileges possible. In this >> fashion, compartmentalization becomes one mechanism for reducing privileges. >> >> >> >> Isolation has a broader meaning than compartmentalization, it is >> inclusive of the privilege set assigned to the component and centered >> around particular types of privilege/access. For example, splitting >> functionality into two processes is compartmentalization. Applying access >> controls to ensure that only one process has database write access is an >> example of isolation built on compartmentalization. >> >> >> >> “Compartmentalization” and “isolation” mean different things. The >> addition of “Isolation” to the title of CWE-653 conflates the two, making >> it seem like they are synonyms. The description also is worded as if the >> two are interchangeable: >> >> >> >> The product does not properly compartmentalize or isolate functionality, >> processes, or resources that require different privilege levels, rights, or >> permissions. >> >> >> >> The title and description should be reverted to remove conflation of the >> terms. >> >> >> >> Thank you, >> >> Rob Wissmann >> >