Agreed.

Change the highlighted ‘vulnerabilities’ and ‘a weakness’ to ‘conditions’…

Just a quick thought.

Thank you, Gracias, Grazie, Mahalo, Merci, Σας ευχαριστώ, Bedankt, Danke, 
ありがとう, धन्यवाद!
--
Kent Landfield
Trellix
+1.817.637.8026
kent.landfi...@trellix.com

From: Paul Wooderson <paul.wooder...@horiba-mira.com>
Date: Thursday, July 14, 2022 at 11:19 AM
To: Alec J Summers <asumm...@mitre.org>, CWE Research Discussion 
<cwe-research-list@mitre.org>
Subject: RE: CWE/CAPEC Definitions


CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

________________________________
All,

One issue I see with these definitions of vulnerability and weakness is that 
they are circular, i.e. each term uses the other in its definition. So when 
each term is replaced with its definition in the other term’s definition, it is 
impossible to resolve what is intended. I have tried this below (including 
striking the “range of products” as suggested by others) – the substituted 
definitions are in red text and the circularities are highlighted in yellow.

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors that can be exploited, causing a 
negative impact to the confidentiality, integrity, or availability of an 
impacted component or components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of flaws in a software, 
firmware, hardware, or service component resulting from a weakness that can be 
exploited, causing a negative impact to the confidentiality, integrity, or 
availability of an impacted component or components in a range of products made 
by different vendors

We have recently addressed the same issue with these same terms in the recently 
published automotive cybersecurity standard ISO/SAE 21434. There we settled on 
the following definitions:

vulnerability
weakness that can be exploited as part of an attack path
weakness
defect or characteristic that can lead to undesirable behaviour

In this way we can define vulnerabilities as a specific subset of weaknesses.

Definitions in ISO standards tend to be short and less descriptive than these 
from CVE/CWE, so it may not be appropriate to directly suggest them here. 
However, if it is preferred to not make further changes to “vulnerability”, 
then perhaps “weakness” could be modified as follows in order to avoid the 
circularity:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could lead to undesirable behaviour


Best regards,
Paul

Paul Wooderson
Chief Engineer – Cybersecurity
Email:
paul.wooder...@horiba-mira.com<mailto:paul.wooder...@horiba-mira.com>
Direct:
+44 24 7635 5244
Mobile:
+44 7731 010066
HORIBA MIRA Ltd.
Watling Street, Nuneaton
Warwickshire, CV10 0TU, UK
www.horiba-mira.com<https://www.horiba-mira.com/>

From: Alec J Summers <asumm...@mitre.org>
Sent: 13 July 2022 18:09
To: CWE Research Discussion <cwe-research-list@mitre.org>
Subject: CWE/CAPEC Definitions

Dear CWE Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World™



HORIBA MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
Registered in England and Wales No. 9626352
VAT Registration  GB 100 1464 84

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you are not the named addressee you should not disseminate, distribute or copy 
this e-mail. Please notify the sender immediately by e-mail if you have 
received this e-mail by mistake and delete this e-mail from your system. If you 
are not the intended recipient you are notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.

Reply via email to