Vulnerability = weakeness + exploit Or more specifically, Vulnerability = weakeness(es) + known exploit
...Joe On Thu, Jul 14, 2022, 12:17 Hatfield, Arthur <arthur_hatfi...@homedepot.com> wrote: > I think it may be best to split the difference by describing weaknesses as > flaws that are *potentially* exploitable to cause undesired operation of > the system and describing vulnerabilities as the subset of weaknesses that > are *provably* exploitable; that allows the possibility that some > exploits are either extant but not generally known to exist, or would exist > if someone applied themselves to finding an exploit technique. > > > > > > *RT Hatfield**, BS CS, CCITP, CISSP* > > Staff Cybersecurity Analyst > > Lead, Notifications and Operations Service Line > > Cyber Threat Intelligence > > *The Home Depot* > > > > > > > > *From: *SJ Jazz <sjoeja...@gmail.com> > *Date: *Thursday, July 14, 2022 at 1:13 PM > *To: *Rob Wissmann <rob.wissm...@nteligen.com> > *Cc: *Alec J Summers <asumm...@mitre.org>, CWE Research Discussion < > cwe-research-list@mitre.org> > *Subject: *[EXTERNAL] Re: CWE/CAPEC Definitions > > Actually, being listed as a CVE is not the criteria for being a > vulnerability. Only vulnerabilities catalogued as CVEs are 'known > vulnerabilities'. There are actual instances of uncatalogued (unpublished) > vulnerabilities; some are in proprietary or intelligence organization's > libraries, and some are held by malicious actors for future exploitation > (at which point they will be known as zero-day vulnerabilities). > > > > It is the existence of an exploit designed to take advantage of a weakness > (or multiple weaknesses) and achieve a negative technical impact that makes > a weakness a vulnerability. > > > > It is not the state of being publicly known or catalogued that makes it a > vulnerability. > > > > ...Joe > > > > > > > > On Thu, Jul 14, 2022 at 11:50 AM Rob Wissmann <rob.wissm...@nteligen.com> > wrote: > > Regarding the circular definitions, it has always struck me that > weaknesses are flaws that *may or may not* be exploitable to cause > negative impact whereas vulnerabilities are flaws *known* to be > exploitable to cause negative impact. > > > > A rewrite of the definitions to match this concept: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component known to > be exploitable to cause a negative impact to the confidentiality, > integrity, or availability of an impacted component or components (from > CVE®)* > > *Weakness* > > *A flaw in a software, firmware, hardware, or service component that may > or may not be exploitable to cause a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components.* > > > > Vulnerabilities must be known to be exploitable because of the CVE > criteria [cve.org] > <https://urldefense.com/v3/__https:/www.cve.org/About/Process*CVERecordLifecycle__;Iw!!M-nmYVHPHQ!NfnLPvDdkiRWH3L2xvMa9KYle-CdclOb75YztG_5ExXRad3d_EIacRd2LMB8bBeLbczXRpgZviQ46Vn0fy3hmNg21w$>: > “Details include but are not limited to affected product(s); affected or > fixed product versions; vulnerability type, root cause, or impact; and at > least one public reference.” > > > > An example of a flaw that may or may not be a vulnerability is an integer > overflow. It might result in a vulnerability, or it might not. That’s a > weakness. > > > > Thanks > > > > *From:* Alec J Summers <asumm...@mitre.org> > *Sent:* Wednesday, July 13, 2022 1:09 PM > *To:* CWE Research Discussion <cwe-research-list@mitre.org> > *Subject:* CWE/CAPEC Definitions > > > > Dear CWE Research Community, > > > > I hope this email finds you well. > > > > Over the past few months, the CWE/CAPEC User Experience Working Group has > been working to modernize our programs through a variety of activities. One > such activity is harmonizing the definitions on our sites for some of our > key terminology including weakness, vulnerability, and attack pattern. As > CWE and CAPEC were developed separately and on a different timeline, some > of the terms are not defined similarly, and we want to address that. > > > > We are seeking feedback on our working definitions: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could contribute to the introduction of > vulnerabilities in a range of products made by different vendors* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a > weakness, usually in cyber-enabled capabilities* > > > > *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after > significant community deliberation, and we are not looking to change it at > this time. > > > > We are hoping to publish new, improved definitions on our websites at the > end of the month. Please provide thoughts and comments by Tuesday, July 26. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > > > > > -- > > Regards, > > > > Joe > > > > Joe Jarzombek > > C 703 627-4644 > > INTERNAL USE >