Re: CWE/CAPEC Definitions

2022-07-14 Thread SJ Jazz 
Vulnerability = weakeness + exploit
Or more specifically,
Vulnerability = weakeness(es) + known exploit

...Joe

On Thu, Jul 14, 2022, 12:17 Hatfield, Arthur 
wrote:

> I think it may be best to split the difference by describing weaknesses as
> flaws that are *potentially* exploitable to cause undesired operation of
> the system and describing vulnerabilities as the subset of weaknesses that
> are *provably* exploitable; that allows the possibility that some
> exploits are either extant but not generally known to exist, or would exist
> if someone applied themselves to finding an exploit technique.
>
>
>
>
>
> *RT Hatfield**, BS CS, CCITP, CISSP*
>
> Staff Cybersecurity Analyst
>
> Lead, Notifications and Operations Service Line
>
> Cyber Threat Intelligence
>
> *The Home Depot*
>
>
>
>
>
>
>
> *From: *SJ Jazz 
> *Date: *Thursday, July 14, 2022 at 1:13 PM
> *To: *Rob Wissmann 
> *Cc: *Alec J Summers , CWE Research Discussion <
> cwe-research-list@mitre.org>
> *Subject: *[EXTERNAL] Re: CWE/CAPEC Definitions
>
> Actually, being listed as a CVE is not the criteria for being a
> vulnerability.  Only vulnerabilities catalogued as CVEs are 'known
> vulnerabilities'. There are actual instances of uncatalogued (unpublished)
> vulnerabilities; some are in proprietary or intelligence organization's
> libraries, and some are held by malicious actors for future exploitation
> (at which point they will be known as zero-day vulnerabilities).
>
>
>
> It is the existence of an exploit designed to take advantage of a weakness
> (or multiple weaknesses) and achieve a negative technical impact that makes
> a weakness a vulnerability.
>
>
>
> It is not the state of being publicly known or catalogued that makes it a
> vulnerability.
>
>
>
> ...Joe
>
>
>
>
>
>
>
> On Thu, Jul 14, 2022 at 11:50 AM Rob Wissmann 
> wrote:
>
> Regarding the circular definitions, it has always struck me that
> weaknesses are flaws that *may or may not* be exploitable to cause
> negative impact whereas vulnerabilities are flaws *known* to be
> exploitable to cause negative impact.
>
>
>
> A rewrite of the definitions to match this concept:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component known to
> be exploitable to cause a negative impact to the confidentiality,
> integrity, or availability of an impacted component or components (from
> CVE®)*
>
> *Weakness*
>
> *A flaw in a software, firmware, hardware, or service component that may
> or may not be exploitable to cause a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components.*
>
>
>
> Vulnerabilities must be known to be exploitable because of the CVE
> criteria [cve.org]
> <https://urldefense.com/v3/__https:/www.cve.org/About/Process*CVERecordLifecycle__;Iw!!M-nmYVHPHQ!NfnLPvDdkiRWH3L2xvMa9KYle-CdclOb75YztG_5ExXRad3d_EIacRd2LMB8bBeLbczXRpgZviQ46Vn0fy3hmNg21w$>:
> “Details include but are not limited to affected product(s); affected or
> fixed product versions; vulnerability type, root cause, or impact; and at
> least one public reference.”
>
>
>
> An example of a flaw that may or may not be a vulnerability is an integer
> overflow. It might result in a vulnerability, or it might not. That’s a
> weakness.
>
>
>
> Thanks
>
>
>
> *From:* Alec J Summers 
> *Sent:* Wednesday, July 13, 2022 1:09 PM
> *To:* CWE Research Discussion 
> *Subject:* CWE/CAPEC Definitions
>
>
>
> Dear CWE Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>

Re: CWE/CAPEC Definitions

2022-07-14 Thread SJ Jazz 
Actually, being listed as a CVE is not the criteria for being a
vulnerability.  Only vulnerabilities catalogued as CVEs are 'known
vulnerabilities'. There are actual instances of uncatalogued (unpublished)
vulnerabilities; some are in proprietary or intelligence organization's
libraries, and some are held by malicious actors for future exploitation
(at which point they will be known as zero-day vulnerabilities).

It is the existence of an exploit designed to take advantage of a weakness
(or multiple weaknesses) and achieve a negative technical impact that makes
a weakness a vulnerability.

It is not the state of being publicly known or catalogued that makes it a
vulnerability.

...Joe



On Thu, Jul 14, 2022 at 11:50 AM Rob Wissmann 
wrote:

> Regarding the circular definitions, it has always struck me that
> weaknesses are flaws that *may or may not* be exploitable to cause
> negative impact whereas vulnerabilities are flaws *known* to be
> exploitable to cause negative impact.
>
>
>
> A rewrite of the definitions to match this concept:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component known to
> be exploitable to cause a negative impact to the confidentiality,
> integrity, or availability of an impacted component or components (from
> CVE®)*
>
> *Weakness*
>
> *A flaw in a software, firmware, hardware, or service component that may
> or may not be exploitable to cause a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components.*
>
>
>
> Vulnerabilities must be known to be exploitable because of the CVE
> criteria : “Details
> include but are not limited to affected product(s); affected or fixed
> product versions; vulnerability type, root cause, or impact; and at least
> one public reference.”
>
>
>
> An example of a flaw that may or may not be a vulnerability is an integer
> overflow. It might result in a vulnerability, or it might not. That’s a
> weakness.
>
>
>
> Thanks
>
>
>
> *From:* Alec J Summers 
> *Sent:* Wednesday, July 13, 2022 1:09 PM
> *To:* CWE Research Discussion 
> *Subject:* CWE/CAPEC Definitions
>
>
>
> Dear CWE Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>
> *Attack Pattern*
>
> *The common approach and attributes related to the exploitation of a
> weakness, usually in cyber-enabled capabilities*
>
>
>
> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after
> significant community deliberation, and we are not looking to change it at
> this time.
>
>
>
> We are hoping to publish new, improved definitions on our websites at the
> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>


-- 
Regards,

Joe

Joe Jarzombek
C 703 627-4644

Re: CWE/CAPEC Definitions

2022-07-14 Thread SJ Jazz 
A short alternative definition for weakness:  defect or characteristic that
could enable undesirable behaviour

...Joe

On Thu, Jul 14, 2022, 11:18 Paul Wooderson 
wrote:

> All,
>
>
>
> One issue I see with these definitions of vulnerability and weakness is
> that they are circular, i.e. each term uses the other in its definition. So
> when each term is replaced with its definition in the other term’s
> definition, it is impossible to resolve what is intended. I have tried this
> below (including striking the “range of products” as suggested by others) –
> the substituted definitions are in red text and the circularities are
> highlighted in yellow.
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a **type of flaw or defect inserted during a product lifecycle that,
> under the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors** that
> can be exploited, causing a negative impact to the confidentiality,
> integrity, or availability of an impacted component or components (from
> CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of flaws in a
> software, firmware, hardware, or service component resulting from a
> weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components in a range of products made by different vendors*
>
>
>
> We have recently addressed the same issue with these same terms in the
> recently published automotive cybersecurity standard ISO/SAE 21434. There
> we settled on the following definitions:
>
>
>
> vulnerability
>
> weakness that can be exploited as part of an attack path
>
> weakness
>
> defect or characteristic that can lead to undesirable behaviour
>
>
>
> In this way we can define vulnerabilities as a specific subset of
> weaknesses.
>
>
>
> Definitions in ISO standards tend to be short and less descriptive than
> these from CVE/CWE, so it may not be appropriate to directly suggest them
> here. However, if it is preferred to not make further changes to
> “vulnerability”, then perhaps “weakness” could be modified as follows in
> order to avoid the circularity:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could **lead to undesirable behaviour*
>
>
>
>
>
> Best regards,
>
> Paul
>
>
>
> *Paul Wooderson*
> *Chief Engineer – Cybersecurity*
>
> Email:
>
> *paul.wooder...@horiba-mira.com *
>
> Direct:
>
> +44 24 7635 5244
>
> Mobile:
>
> +44 7731 010066
>
> HORIBA MIRA Ltd.
> Watling Street, Nuneaton
> Warwickshire, CV10 0TU, UK
>
> *www.horiba-mira.com *
>
>
>
> *From:* Alec J Summers 
> *Sent:* 13 July 2022 18:09
> *To:* CWE Research Discussion 
> *Subject:* CWE/CAPEC Definitions
>
>
>
> Dear CWE Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>
> *Attack Pattern*
>
> *The common approach and attributes related to the exploitation of a
> weakness, usually in cyber-enabled capabilities*
>
>
>
> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after
> significant community deliberation, and we are not looking to change it at
> this time.
>
>
>
> We are hoping to publish new, improved definitions on our websites at the
> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead,

Re: CWE/CAPEC Definitions

2022-07-13 Thread SJ Jazz 
I still recommend deleting at the end of the definition of weakness "... in
a range of products made by different vendors.

It adds no value, and actually unintentionally limits applicability by
implying weaknesses only apply to products made by vendors.

Regards,

Joe

On Wed, Jul 13, 2022, 12:08 Alec J Summers  wrote:

> Dear CWE Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>
> *Attack Pattern*
>
> *The common approach and attributes related to the exploitation of a
> weakness, usually in cyber-enabled capabilities*
>
>
>
> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after
> significant community deliberation, and we are not looking to change it at
> this time.
>
>
>
> We are hoping to publish new, improved definitions on our websites at the
> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>