Vulnerability = weakeness + exploit
Or more specifically,
Vulnerability = weakeness(es) + known exploit

...Joe

On Thu, Jul 14, 2022, 12:17 Hatfield, Arthur <arthur_hatfi...@homedepot.com>
wrote:

> I think it may be best to split the difference by describing weaknesses as
> flaws that are *potentially* exploitable to cause undesired operation of
> the system and describing vulnerabilities as the subset of weaknesses that
> are *provably* exploitable; that allows the possibility that some
> exploits are either extant but not generally known to exist, or would exist
> if someone applied themselves to finding an exploit technique.
>
>
>
>
>
> *RT Hatfield**, BS CS, CCITP, CISSP*
>
> Staff Cybersecurity Analyst
>
> Lead, Notifications and Operations Service Line
>
> Cyber Threat Intelligence
>
> *The Home Depot*
>
>
>
>
>
>
>
> *From: *SJ Jazz <sjoeja...@gmail.com>
> *Date: *Thursday, July 14, 2022 at 1:13 PM
> *To: *Rob Wissmann <rob.wissm...@nteligen.com>
> *Cc: *Alec J Summers <asumm...@mitre.org>, CWE Research Discussion <
> cwe-research-list@mitre.org>
> *Subject: *[EXTERNAL] Re: CWE/CAPEC Definitions
>
> Actually, being listed as a CVE is not the criteria for being a
> vulnerability.  Only vulnerabilities catalogued as CVEs are 'known
> vulnerabilities'. There are actual instances of uncatalogued (unpublished)
> vulnerabilities; some are in proprietary or intelligence organization's
> libraries, and some are held by malicious actors for future exploitation
> (at which point they will be known as zero-day vulnerabilities).
>
>
>
> It is the existence of an exploit designed to take advantage of a weakness
> (or multiple weaknesses) and achieve a negative technical impact that makes
> a weakness a vulnerability.
>
>
>
> It is not the state of being publicly known or catalogued that makes it a
> vulnerability.
>
>
>
> ...Joe
>
>
>
>
>
>
>
> On Thu, Jul 14, 2022 at 11:50 AM Rob Wissmann <rob.wissm...@nteligen.com>
> wrote:
>
> Regarding the circular definitions, it has always struck me that
> weaknesses are flaws that *may or may not* be exploitable to cause
> negative impact whereas vulnerabilities are flaws *known* to be
> exploitable to cause negative impact.
>
>
>
> A rewrite of the definitions to match this concept:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component known to
> be exploitable to cause a negative impact to the confidentiality,
> integrity, or availability of an impacted component or components (from
> CVE®)*
>
> *Weakness*
>
> *A flaw in a software, firmware, hardware, or service component that may
> or may not be exploitable to cause a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components.*
>
>
>
> Vulnerabilities must be known to be exploitable because of the CVE
> criteria [cve.org]
> <https://urldefense.com/v3/__https:/www.cve.org/About/Process*CVERecordLifecycle__;Iw!!M-nmYVHPHQ!NfnLPvDdkiRWH3L2xvMa9KYle-CdclOb75YztG_5ExXRad3d_EIacRd2LMB8bBeLbczXRpgZviQ46Vn0fy3hmNg21w$>:
> “Details include but are not limited to affected product(s); affected or
> fixed product versions; vulnerability type, root cause, or impact; and at
> least one public reference.”
>
>
>
> An example of a flaw that may or may not be a vulnerability is an integer
> overflow. It might result in a vulnerability, or it might not. That’s a
> weakness.
>
>
>
> Thanks
>
>
>
> *From:* Alec J Summers <asumm...@mitre.org>
> *Sent:* Wednesday, July 13, 2022 1:09 PM
> *To:* CWE Research Discussion <cwe-research-list@mitre.org>
> *Subject:* CWE/CAPEC Definitions
>
>
>
> Dear CWE Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>
> *Attack Pattern*
>
> *The common approach and attributes related to the exploitation of a
> weakness, usually in cyber-enabled capabilities*
>
>
>
> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after
> significant community deliberation, and we are not looking to change it at
> this time.
>
>
>
> We are hoping to publish new, improved definitions on our websites at the
> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> *––––––––––––––––––––––––––––––––––––*
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>
>
>
>
> --
>
> Regards,
>
>
>
> Joe
>
>
>
> Joe Jarzombek
>
> C 703 627-4644
>
> INTERNAL USE
>

Reply via email to