Agreed. Change the highlighted ‘vulnerabilities’ and ‘a weakness’ to ‘conditions’…
Just a quick thought. Thank you, Gracias, Grazie, Mahalo, Merci, Σας ευχαριστώ, Bedankt, Danke, ありがとう, धन्यवाद! -- Kent Landfield Trellix +1.817.637.8026 kent.landfi...@trellix.com From: Paul Wooderson <paul.wooder...@horiba-mira.com> Date: Thursday, July 14, 2022 at 11:19 AM To: Alec J Summers <asumm...@mitre.org>, CWE Research Discussion <cwe-research-list@mitre.org> Subject: RE: CWE/CAPEC Definitions CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ All, One issue I see with these definitions of vulnerability and weakness is that they are circular, i.e. each term uses the other in its definition. So when each term is replaced with its definition in the other term’s definition, it is impossible to resolve what is intended. I have tried this below (including striking the “range of products” as suggested by others) – the substituted definitions are in red text and the circularities are highlighted in yellow. Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of flaws in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components in a range of products made by different vendors We have recently addressed the same issue with these same terms in the recently published automotive cybersecurity standard ISO/SAE 21434. There we settled on the following definitions: vulnerability weakness that can be exploited as part of an attack path weakness defect or characteristic that can lead to undesirable behaviour In this way we can define vulnerabilities as a specific subset of weaknesses. Definitions in ISO standards tend to be short and less descriptive than these from CVE/CWE, so it may not be appropriate to directly suggest them here. However, if it is preferred to not make further changes to “vulnerability”, then perhaps “weakness” could be modified as follows in order to avoid the circularity: Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could lead to undesirable behaviour Best regards, Paul Paul Wooderson Chief Engineer – Cybersecurity Email: paul.wooder...@horiba-mira.com<mailto:paul.wooder...@horiba-mira.com> Direct: +44 24 7635 5244 Mobile: +44 7731 010066 HORIBA MIRA Ltd. Watling Street, Nuneaton Warwickshire, CV10 0TU, UK www.horiba-mira.com<https://www.horiba-mira.com/> From: Alec J Summers <asumm...@mitre.org> Sent: 13 July 2022 18:09 To: CWE Research Discussion <cwe-research-list@mitre.org> Subject: CWE/CAPEC Definitions Dear CWE Research Community, I hope this email finds you well. Over the past few months, the CWE/CAPEC User Experience Working Group has been working to modernize our programs through a variety of activities. One such activity is harmonizing the definitions on our sites for some of our key terminology including weakness, vulnerability, and attack pattern. As CWE and CAPEC were developed separately and on a different timeline, some of the terms are not defined similarly, and we want to address that. We are seeking feedback on our working definitions: Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors Attack Pattern The common approach and attributes related to the exploitation of a weakness, usually in cyber-enabled capabilities Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant community deliberation, and we are not looking to change it at this time. We are hoping to publish new, improved definitions on our websites at the end of the month. Please provide thoughts and comments by Tuesday, July 26. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™ HORIBA MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 9626352 VAT Registration GB 100 1464 84 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.