subject:"\[Deadline\: Tonight\] CWE\/CAPEC Definitions"

Re: [Deadline: Tonight] CWE/CAPEC Definitions

2022-08-07 Thread Jim

I know the deadline has passed, and I provided extemporaneous comments earlier. 

I came across a lecture I put together years ago with a reference that I 
thought is relevant to the discussion. 

The Common Criteria standard has definitions for vulnerabilities. See pg 30 of 
CC General Model
 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf. 

I feel it is important to use authoritative references when possible. 

Regards,
Jim Whitmore

Sent from my iPhone

> On Jul 26, 2022, at 8:05 PM, Maldonado Rosado, Shadya Beatriz 
>  wrote:
> 
> 
> Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
> and CWE researcher communities on the proposed definitions by 10 PM EST 
> tonight. If you have already responded – thank you!
>  
> Cheers,
>  
> Shadya
> Co-Chair, CWE/CAPEC User Experience Working Group
>  
>  
> 
> Shadya B. Maldonado Rosado
> Cybersecurity Engineer, Principal | Energy Security | 8851
> Sandia National Laboratories
> Pronouns: she/her
>  
>  
> From: Ofer Sheinkin  
> Sent: Wednesday, July 20, 2022 11:08 PM
> To: CAPEC Researcher Discussion 
> Cc: Godsey, Charles M (Mike) ; Keith J Hill 
> ; Alec J Summers ; Karl Ackerman 
> 
> Subject: [EXTERNAL] Re: CWE/CAPEC Definitions
>  
> I believe Karl Ackerman's definition for Weakness is better, but I would stop 
> after behavior.
>  
> weakness: A deficiency in a product or configuration that allows unintended 
> behavior.
> 
> Ofer Sheinkin
> +972-50-7900400
> o...@sheinkin.org
>  
>  
> 
>  
> On Wed, Jul 20, 2022 at 10:44 PM Karl Ackerman  
> wrote:
> Sorry for chiming in on this but isn't a 
> weakness: A deficiency in a product or configuration that allows unintended 
> behavior or access by an unauthorized entity
> From: Godsey, Charles M (Mike) 
> Sent: Wednesday, July 20, 2022 3:05 PM
> To: Keith J Hill ; Alec J Summers ; 
> CAPEC Researcher Discussion 
> Subject: RE: CWE/CAPEC Definitions
>  
> How about something like this:
> 
>  
> 
> Weakness: A state or condition in a product that when subjected to certain 
> condition(s) will fail.  
> 
>  
> 
> Thanks,
> Mike
> 
> C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE
> Counter-Fraud Capability Leader 
> Nationwide Insurance 3-23-201
> Three Nationwide Plaza
> Columbus, OH  43215
> Phone: 614.677.2528
> Fax: 877.202.5001
> Cell: 614.270.0887
> 
> The information contained in this e-mail message, including any attachments, 
> is CONFIDENTIAL, and is intended only for the individual or entity named in 
> this communication.  If the reader of this message is not the intended 
> recipient, or employee, or agent responsible for delivering it to the 
> intended recipient, you are hereby notified that dissemination, distribution, 
> or copying of this communication is strictly prohibited.  If you have 
> received this communication in error, please immediately notify the sender by 
> e-mail and destroy all copies of the original message. Thank you.
> 
>  
> 
> From: Keith J Hill  
> Sent: Wednesday, July 20, 2022 2:53 PM
> To: Alec J Summers ; CAPEC Researcher Discussion 
> 
> Subject: [EXTERNAL] RE: CWE/CAPEC Definitions
> 
>  
> 
> Nationwide Information Security Warning: This is an EXTERNAL email. Use 
> CAUTION before clicking on links, opening attachments, or responding. 
> (Sender: asumm...@mitre.org)
> 
>  
> 
> Thanks for the reminder Alec,
> 
>  
> 
> I’m bothered by the Weakness definition, specifically “type of flaw or defect 
> inserted...”  because I think this presumes too much.  I’m tossing this into 
> the ring for consideration. It incorporates some of the ideas that others 
> proposed.
> 
>  
> 
> Weakness: A condition that under the right circumstances begins a process or 
> combines with other weaknesses to cause a harm in a product or system.
> 
>  
> 
> The key is that a weakness is a condition; it may include human and process 
> flaws.  A weakness begins or contribute to that chain of circumstances that 
> results in a vulnerability/harm.
> 
>  
> 
> Keith
> 
>  
> 
>  
> 
> From: Alec J Summers  
> Sent: Wednesday, July 20, 2022 2:39 PM
> To: CAPEC Researcher Discussion 
> Subject: FW: CWE/CAPEC Definitions
> 
>  
> 
> Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
> researcher community on the proposed definitions by next Tuesday, July 26. If 
> you have already responded – thank you!
> 
>  
> 
> Cheers,
> 
> Alec
> 
>  
> 
> -- 
> 
> Alec J. Summers
> 
> Center for Securing the Homeland (CSH)
> 
> Cyber Security Engineer, Principal
> 
> Group Lead, Cybersecurity Operations and Integration
> 
> 
> 
> MITRE - Solving Problems for a Safer World™
> 
>  
> 
>  
> 
>  
> 
> From: Alec J Summers 
> Date: Wednesday, July 13, 2022 at 1:08 PM
> To: CAPEC Researcher Discussion 
> Subject: CWE/CAPEC Definitions
> 
> Dear CAPEC Research Community,
> 
>  
> 
> I hope this email finds you well.
> 
>  
> 
> Over the

[Deadline: Tonight] CWE/CAPEC Definitions

2022-07-26 Thread Maldonado Rosado, Shadya Beatriz

Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
and CWE researcher communities on the proposed definitions by 10 PM EST 
tonight. If you have already responded – thank you!

Cheers,

Shadya
Co-Chair, CWE/CAPEC User Experience Working Group



Shadya B. Maldonado Rosado
Cybersecurity Engineer, Principal | Energy Security | 8851
Sandia National Laboratories
Pronouns: she/her


From: Ofer Sheinkin 
Sent: Wednesday, July 20, 2022 11:08 PM
To: CAPEC Researcher Discussion 
Cc: Godsey, Charles M (Mike) ; Keith J Hill 
; Alec J Summers ; Karl Ackerman 

Subject: [EXTERNAL] Re: CWE/CAPEC Definitions

I believe Karl Ackerman's definition for Weakness is better, but I would stop 
after behavior.

weakness: A deficiency in a product or configuration that allows unintended 
behavior.

Ofer Sheinkin
+972-50-7900400
o...@sheinkin.org


[Image removed by sender.]

On Wed, Jul 20, 2022 at 10:44 PM Karl Ackerman 
mailto:karl.acker...@sophos.com>> wrote:
Sorry for chiming in on this but isn't a
weakness: A deficiency in a product or configuration that allows unintended 
behavior or access by an unauthorized entity

From: Godsey, Charles M (Mike) 
mailto:godse...@nationwide.com>>
Sent: Wednesday, July 20, 2022 3:05 PM
To: Keith J Hill mailto:kh...@mitre.org>>; Alec J Summers 
mailto:asumm...@mitre.org>>; CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: RE: CWE/CAPEC Definitions


How about something like this:



Weakness: A state or condition in a product that when subjected to certain 
condition(s) will fail.



Thanks,
Mike

C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE
Counter-Fraud Capability Leader
Nationwide Insurance 3-23-201
Three Nationwide Plaza
Columbus, OH  43215
Phone: 614.677.2528
Fax: 877.202.5001
Cell: 614.270.0887

The information contained in this e-mail message, including any attachments, is 
CONFIDENTIAL, and is intended only for the individual or entity named in this 
communication.  If the reader of this message is not the intended recipient, or 
employee, or agent responsible for delivering it to the intended recipient, you 
are hereby notified that dissemination, distribution, or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please immediately notify the sender by e-mail and destroy all copies 
of the original message. Thank you.



From: Keith J Hill mailto:kh...@mitre.org>>
Sent: Wednesday, July 20, 2022 2:53 PM
To: Alec J Summers mailto:asumm...@mitre.org>>; CAPEC 
Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: [EXTERNAL] RE: CWE/CAPEC Definitions



Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION 
before clicking on links, opening attachments, or responding. (Sender: 
asumm...@mitre.org)





Thanks for the reminder Alec,



I’m bothered by the Weakness definition, specifically “type of flaw or defect 
inserted...”  because I think this presumes too much.  I’m tossing this into 
the ring for consideration. It incorporates some of the ideas that others 
proposed.



Weakness: A condition that under the right circumstances begins a process or 
combines with other weaknesses to cause a harm in a product or system.



The key is that a weakness is a condition; it may include human and process 
flaws.  A weakness begins or contribute to that chain of circumstances that 
results in a vulnerability/harm.



Keith





From: Alec J Summers mailto:asumm...@mitre.org>>
Sent: Wednesday, July 20, 2022 2:39 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: FW: CWE/CAPEC Definitions



Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
researcher community on the proposed definitions by next Tuesday, July 26. If 
you have already responded – thank you!



Cheers,

Alec



--

Alec J. Summers

Center for Securing the Homeland (CSH)

Cyber Security Engineer, Principal

Group Lead, Cybersecurity Operations and Integration



MITRE - Solving Problems for a Safer World™







From: Alec J Summers mailto:asumm...@mitre.org>>
Date: Wednesday, July 13, 2022 at 1:08 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: CWE/CAPEC Definitions

Dear CAPEC Research Community,



I hope this email finds you well.



Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address

Re: [Deadline: Tonight] CWE/CAPEC Definitions

[Deadline: Tonight] CWE/CAPEC Definitions

2 matches

Site Navigation

Mail list logo

Footer information