Re: CWE/CAPEC Definitions

2022-07-21 Thread Ofer Sheinkin 
I believe Karl Ackerman's definition for Weakness is better, but I would
stop after behavior.

weakness: *A deficiency in a product or configuration that allows
unintended behavior.*

*Ofer Sheinkin*
+972-50-7900400
o...@sheinkin.org



On Wed, Jul 20, 2022 at 10:44 PM Karl Ackerman 
wrote:

> Sorry for chiming in on this but isn't a
> weakness: A deficiency in a product or configuration that allows
> unintended behavior or access by an unauthorized entity
> --
> *From:* Godsey, Charles M (Mike) 
> *Sent:* Wednesday, July 20, 2022 3:05 PM
> *To:* Keith J Hill ; Alec J Summers ;
> CAPEC Researcher Discussion 
> *Subject:* RE: CWE/CAPEC Definitions
>
>
> How about something like this:
>
>
>
> Weakness: A state or condition in a product that when subjected to certain
> condition(s) will fail.
>
>
>
> Thanks,
> Mike
>
> C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE
> Counter-Fraud Capability Leader
> Nationwide Insurance 3-23-201
> Three Nationwide Plaza
> Columbus, OH  43215
> Phone: 614.677.2528
> Fax: 877.202.5001
> Cell: 614.270.0887
>
> The information contained in this e-mail message, including any
> attachments, is CONFIDENTIAL, and is intended only for the individual or
> entity named in this communication.  If the reader of this message is not
> the intended recipient, or employee, or agent responsible for delivering it
> to the intended recipient, you are hereby notified that dissemination,
> distribution, or copying of this communication is strictly prohibited.  If
> you have received this communication in error, please immediately notify
> the sender by e-mail and destroy all copies of the original message. Thank
> you.
>
>
>
> *From:* Keith J Hill 
> *Sent:* Wednesday, July 20, 2022 2:53 PM
> *To:* Alec J Summers ; CAPEC Researcher Discussion <
> capec-research-list@mitre.org>
> *Subject:* [EXTERNAL] RE: CWE/CAPEC Definitions
>
>
>
> *Nationwide Information Security Warning: **This is an **EXTERNAL* *email.
> *Use *CAUTION* *before clicking on links, opening attachments, or
> responding.* (*Sender:* asumm...@mitre.org)
> --
>
>
>
> Thanks for the reminder Alec,
>
>
>
> I’m bothered by the Weakness definition, specifically “type of flaw or
> defect inserted...”  because I think this presumes too much.  I’m tossing
> this into the ring for consideration. It incorporates some of the ideas
> that others proposed.
>
>
>
> *Weakness: A condition that under the right circumstances begins a process
> or combines with other weaknesses to cause a harm in a product or system.*
>
>
>
> The key is that a weakness is a *condition*; it may include human and
> process flaws.  A weakness begins or contribute to that chain of
> circumstances that results in a vulnerability/harm.
>
>
>
> Keith
>
>
>
>
>
> *From:* Alec J Summers 
> *Sent:* Wednesday, July 20, 2022 2:39 PM
> *To:* CAPEC Researcher Discussion 
> *Subject:* FW: CWE/CAPEC Definitions
>
>
>
> Just a soft follow-up and reminder that we are seeking comment from our
> CAPEC researcher community on the proposed definitions by next Tuesday,
> July 26. If you have already responded – thank you!
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>
>
>
> *From: *Alec J Summers 
> *Date: *Wednesday, July 13, 2022 at 1:08 PM
> *To: *CAPEC Researcher Discussion 
> *Subject: *CWE/CAPEC Definitions
>
> Dear CAPEC Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>

Re: CWE/CAPEC Definitions

2022-07-20 Thread Karl Ackerman 
Sorry for chiming in on this but isn't a
weakness: A deficiency in a product or configuration that allows unintended 
behavior or access by an unauthorized entity

From: Godsey, Charles M (Mike) 
Sent: Wednesday, July 20, 2022 3:05 PM
To: Keith J Hill ; Alec J Summers ; CAPEC 
Researcher Discussion 
Subject: RE: CWE/CAPEC Definitions


How about something like this:



Weakness: A state or condition in a product that when subjected to certain 
condition(s) will fail.



Thanks,
Mike

C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE
Counter-Fraud Capability Leader
Nationwide Insurance 3-23-201
Three Nationwide Plaza
Columbus, OH  43215
Phone: 614.677.2528
Fax: 877.202.5001
Cell: 614.270.0887

The information contained in this e-mail message, including any attachments, is 
CONFIDENTIAL, and is intended only for the individual or entity named in this 
communication.  If the reader of this message is not the intended recipient, or 
employee, or agent responsible for delivering it to the intended recipient, you 
are hereby notified that dissemination, distribution, or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please immediately notify the sender by e-mail and destroy all copies 
of the original message. Thank you.



From: Keith J Hill 
Sent: Wednesday, July 20, 2022 2:53 PM
To: Alec J Summers ; CAPEC Researcher Discussion 

Subject: [EXTERNAL] RE: CWE/CAPEC Definitions



Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION 
before clicking on links, opening attachments, or responding. (Sender: 
asumm...@mitre.org<mailto:asumm...@mitre.org>)





Thanks for the reminder Alec,



I’m bothered by the Weakness definition, specifically “type of flaw or defect 
inserted...”  because I think this presumes too much.  I’m tossing this into 
the ring for consideration. It incorporates some of the ideas that others 
proposed.



Weakness: A condition that under the right circumstances begins a process or 
combines with other weaknesses to cause a harm in a product or system.



The key is that a weakness is a condition; it may include human and process 
flaws.  A weakness begins or contribute to that chain of circumstances that 
results in a vulnerability/harm.



Keith





From: Alec J Summers mailto:asumm...@mitre.org>>
Sent: Wednesday, July 20, 2022 2:39 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: FW: CWE/CAPEC Definitions



Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
researcher community on the proposed definitions by next Tuesday, July 26. If 
you have already responded – thank you!



Cheers,

Alec



--

Alec J. Summers

Center for Securing the Homeland (CSH)

Cyber Security Engineer, Principal

Group Lead, Cybersecurity Operations and Integration



MITRE - Solving Problems for a Safer World™







From: Alec J Summers mailto:asumm...@mitre.org>>
Date: Wednesday, July 13, 2022 at 1:08 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: CWE/CAPEC Definitions

Dear CAPEC Research Community,



I hope this email finds you well.



Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.



We are seeking feedback on our working definitions:



Vulnerability

A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)

Weakness

A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors

Attack Pattern

The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities



Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.



We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.



Cheers,

Alec



--

Alec J. Summers

Center for Securing the Homeland (CSH)

Cyber Security Engineer, Principal

Group Lead, Cybersecurity Operations and Integration



MITRE - Solving Problems for a Safer World™

RE: CWE/CAPEC Definitions

2022-07-20 Thread Godsey, Charles M (Mike) 
How about something like this:

Weakness: A state or condition in a product that when subjected to certain 
condition(s) will fail.

Thanks,
Mike

C. Michael Godsey BSETE, MSIE, MBA, CISSP, CISM, GICSP, CFE
Counter-Fraud Capability Leader
Nationwide Insurance 3-23-201
Three Nationwide Plaza
Columbus, OH  43215
Phone: 614.677.2528
Fax: 877.202.5001
Cell: 614.270.0887

The information contained in this e-mail message, including any attachments, is 
CONFIDENTIAL, and is intended only for the individual or entity named in this 
communication.  If the reader of this message is not the intended recipient, or 
employee, or agent responsible for delivering it to the intended recipient, you 
are hereby notified that dissemination, distribution, or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please immediately notify the sender by e-mail and destroy all copies 
of the original message. Thank you.

From: Keith J Hill 
Sent: Wednesday, July 20, 2022 2:53 PM
To: Alec J Summers ; CAPEC Researcher Discussion 

Subject: [EXTERNAL] RE: CWE/CAPEC Definitions


Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION 
before clicking on links, opening attachments, or responding. (Sender: 
asumm...@mitre.org<mailto:asumm...@mitre.org>)



Thanks for the reminder Alec,

I'm bothered by the Weakness definition, specifically "type of flaw or defect 
inserted..."  because I think this presumes too much.  I'm tossing this into 
the ring for consideration. It incorporates some of the ideas that others 
proposed.

Weakness: A condition that under the right circumstances begins a process or 
combines with other weaknesses to cause a harm in a product or system.

The key is that a weakness is a condition; it may include human and process 
flaws.  A weakness begins or contribute to that chain of circumstances that 
results in a vulnerability/harm.

Keith


From: Alec J Summers mailto:asumm...@mitre.org>>
Sent: Wednesday, July 20, 2022 2:39 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: FW: CWE/CAPEC Definitions

Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
researcher community on the proposed definitions by next Tuesday, July 26. If 
you have already responded - thank you!

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World(tm)



From: Alec J Summers mailto:asumm...@mitre.org>>
Date: Wednesday, July 13, 2022 at 1:08 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: CWE/CAPEC Definitions
Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE(r))
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE's definition for 'vulnerability' was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World(tm)

RE: CWE/CAPEC Definitions

2022-07-20 Thread Keith J Hill 
Thanks for the reminder Alec,

I'm bothered by the Weakness definition, specifically "type of flaw or defect 
inserted..."  because I think this presumes too much.  I'm tossing this into 
the ring for consideration. It incorporates some of the ideas that others 
proposed.

Weakness: A condition that under the right circumstances begins a process or 
combines with other weaknesses to cause a harm in a product or system.

The key is that a weakness is a condition; it may include human and process 
flaws.  A weakness begins or contribute to that chain of circumstances that 
results in a vulnerability/harm.

Keith


From: Alec J Summers 
Sent: Wednesday, July 20, 2022 2:39 PM
To: CAPEC Researcher Discussion 
Subject: FW: CWE/CAPEC Definitions

Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
researcher community on the proposed definitions by next Tuesday, July 26. If 
you have already responded - thank you!

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World(tm)



From: Alec J Summers mailto:asumm...@mitre.org>>
Date: Wednesday, July 13, 2022 at 1:08 PM
To: CAPEC Researcher Discussion 
mailto:capec-research-list@mitre.org>>
Subject: CWE/CAPEC Definitions
Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE(r))
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE's definition for 'vulnerability' was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World(tm)

RE: CWE/CAPEC Definitions

2022-07-15 Thread James Pangburn 
To me, there are gems in many of the comments on this, and I beg your 
indulgence as I attempt to put them together here.

I realize we don’t want to touch vulnerability, but if “resulting from a 
weakness” were removed (and I believe it is superfluous), it would solve the 
problem of circular definitions.  Anyway, that can always be left for another 
day.

Addressing the definition of weakness:

I agree with Rob Wissman’s point that “flaw” is not ideal because features that 
are recognized weaknesses today were not always so.  We could be more generic 
by using something like “element.”  I also like most of what Jim Whitmore said 
below, but I think attacks are enabled by vulnerabilities, not weaknesses 
(vulnerabilities are enabled by weaknesses).  So I’m thinking this might be a 
reasonably generic, futureproof definition:

Weakness: An element, misconfiguration or oversight in a technology’s design, 
integration or operation that may cause vulnerabilities to arise.

It seems necessary to me to reference vulnerabilities in the definition of 
weakness, because they are the “concrete instances” of weaknesses.  On the 
other hand, if we go down the path of removing that, it might be nice to 
replace “that may cause …” with something like “that may cause insecure 
operating conditions (i.e. conditions not intended by its designers or 
legitimate users).”  The parenthetical is needed only if we feel the need to 
define “insecure.”

Great discussion,
Jim

From: Jim 
Sent: Friday, July 15, 2022 8:34 AM
To: Alec J Summers 
Cc: capec-research-list@mitre.org
Subject: Re: CWE/CAPEC Definitions

EXTERNAL MAIL
I did not copy everyone on my response…

Jim Whitmore


On Jul 15, 2022, at 10:20 AM, Jim Whitmore 
mailto:jj-whitm...@comcast.net>> wrote:

Alec, thanks for the note. These terms overlap and are sometimes the source of 
confusion. I have been working with these resources for several years. My 
observation is that the CWE definition is is not exactly what the data is, and 
CAPEC definition could be less obtuse.

In my mind...

CAPEC is a catalog of attack patterns where an attack pattern is a behavior and 
exploit associated with actions by bad actors and/or malware.

CWE is a catalog of descriptions of weaknesses, where a weakness is a 
technology flaw, misconfiguration or oversight in design, integration and 
operation that enable attacks by bad actors and malware or lead to unexpected 
operating conditions.

The problem I see is that current CWE catalog only covers a subset of types of 
weaknesses associated with technology (hardware and software). What I mean is 
that CAPEC identifies attacks behaviors and exploits that have no corresponding 
CWE.  This is true for about 25% of the CAPEC entries. Analyzing the 25% of 
CAPEC entries, reveals that these CAPEC entries are "enabled" by (a) abuses of 
normal function, (b) weaknesses in human behavior, (c) etc.

Also, I suggest that CVE should be referenced as a catalog of instances of CWEs.

I am happy to discuss further.

Jim Whitmore


On 07/13/2022 1:08 PM Alec J Summers 
mailto:asumm...@mitre.org>> wrote:


Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World™

Re: CWE/CAPEC Definitions

2022-07-15 Thread Alexander W. Miranda 
Hi,

My take on the weakness term;  I would lie to emphasize that my preference
is not to use the terms in one definition with the other, which creates a
bit of confusion.




*Vulnerability*
GOOD with the definition

*Weakness*

*Lack of Quality or State in the product lifecycle that, under the right
conditions with likelihood initiates a sequence of events that can lead to
defects in the products, systems, and software.*

*Attack Pattern*

GOOD with the definition


Hope this help.

thanks

-- 
V/R,
Alexander W. Miranda, Ph.D.
awmira...@gmail.com


On Fri, Jul 15, 2022 at 10:21 AM Gutman, Gregoriy (CTR) <
gregoriy.gut...@associates.fema.dhs.gov> wrote:

> Hello Alec, et al,
>
>
>
> Here is my attempt at definition improvement of weakness and attack
> pattern.
>
>
>
> Weakness - *A flaw or defect overlooked during a product lifecycle that,
> under the right conditions, could contribute to the introduction or exploit
> of vulnerabilities in a range of products made by different vendors, not
> limited to software*
>
>
>
> Attack Pattern - *The common approach and attributes related to the
> exploitation of a weakness, primarily in software, by extension in computer
> hardware and business logic*
>
>
>
> --
>
> Greg Gutman (CTR), CISSP
>
> Email: gregoriy.gut...@associates.fema.dhs.gov
>
>
>
> *From:* Alec J Summers 
> *Sent:* Wednesday, July 13, 2022 1:09 PM
> *To:* CAPEC Researcher Discussion 
> *Subject:* CWE/CAPEC Definitions
>
>
>
> *CAUTION:* This email originated from outside of DHS. DO NOT click links
> or open attachments unless you recognize and/or trust the sender. Please
> select the Phish Alert Report button on the top right of your screen to
> report this email if it is unsolicited or suspicious in nature.
>
>
>
> Dear CAPEC Research Community,
>
>
>
> I hope this email finds you well.
>
>
>
> Over the past few months, the CWE/CAPEC User Experience Working Group has
> been working to modernize our programs through a variety of activities. One
> such activity is harmonizing the definitions on our sites for some of our
> key terminology including weakness, vulnerability, and attack pattern. As
> CWE and CAPEC were developed separately and on a different timeline, some
> of the terms are not defined similarly, and we want to address that.
>
>
>
> We are seeking feedback on our working definitions:
>
>
>
> *Vulnerability*
>
> *A flaw in a software, firmware, hardware, or service component resulting
> from a weakness that can be exploited, causing a negative impact to the
> confidentiality, integrity, or availability of an impacted component or
> components (from CVE®)*
>
> *Weakness*
>
> *A type of flaw or defect inserted during a product lifecycle that, under
> the right conditions, could contribute to the introduction of
> vulnerabilities in a range of products made by different vendors*
>
> *Attack Pattern*
>
> *The common approach and attributes related to the exploitation of a
> weakness, usually in cyber-enabled capabilities*
>
>
>
> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after
> significant community deliberation, and we are not looking to change it at
> this time.
>
>
>
> We are hoping to publish new, improved definitions on our websites at the
> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>

Re: CWE/CAPEC Definitions

2022-07-15 Thread Jim 
I did not copy everyone on my response…

Jim Whitmore 


> On Jul 15, 2022, at 10:20 AM, Jim Whitmore  wrote:
> 
> 
> Alec, thanks for the note. These terms overlap and are sometimes the source 
> of confusion. I have been working with these resources for several years. My 
> observation is that the CWE definition is is not exactly what the data is, 
> and CAPEC definition could be less obtuse.
> 
> In my mind...
> 
> CAPEC is a catalog of attack patterns where an attack pattern is a behavior 
> and exploit associated with actions by bad actors and/or malware. 
> 
> CWE is a catalog of descriptions of weaknesses, where a weakness is a 
> technology flaw, misconfiguration or oversight in design, integration and 
> operation that enable attacks by bad actors and malware or lead to unexpected 
> operating conditions. 
> 
> The problem I see is that current CWE catalog only covers a subset of types 
> of weaknesses associated with technology (hardware and software). What I mean 
> is that CAPEC identifies attacks behaviors and exploits that have no 
> corresponding CWE.  This is true for about 25% of the CAPEC entries. 
> Analyzing the 25% of CAPEC entries, reveals that these CAPEC entries are 
> "enabled" by (a) abuses of normal function, (b) weaknesses in human behavior, 
> (c) etc. 
> 
> Also, I suggest that CVE should be referenced as a catalog of instances of 
> CWEs.
>  
> I am happy to discuss further. 
> 
> Jim Whitmore
> 
> 
>> On 07/13/2022 1:08 PM Alec J Summers  wrote:
>> 
>> 
>> Dear CAPEC Research Community,
>> 
>>  
>> 
>> I hope this email finds you well.
>> 
>>  
>> 
>> Over the past few months, the CWE/CAPEC User Experience Working Group has 
>> been working to modernize our programs through a variety of activities. One 
>> such activity is harmonizing the definitions on our sites for some of our 
>> key terminology including weakness, vulnerability, and attack pattern. As 
>> CWE and CAPEC were developed separately and on a different timeline, some of 
>> the terms are not defined similarly, and we want to address that.
>> 
>>  
>> 
>> We are seeking feedback on our working definitions:
>> 
>>  
>> 
>> Vulnerability
>> 
>> A flaw in a software, firmware, hardware, or service component resulting 
>> from a weakness that can be exploited, causing a negative impact to the 
>> confidentiality, integrity, or availability of an impacted component or 
>> components (from CVE®)
>> 
>> Weakness
>> 
>> A type of flaw or defect inserted during a product lifecycle that, under the 
>> right conditions, could contribute to the introduction of vulnerabilities in 
>> a range of products made by different vendors
>> 
>> Attack Pattern
>> 
>> The common approach and attributes related to the exploitation of a 
>> weakness, usually in cyber-enabled capabilities
>> 
>>  
>> 
>> Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
>> community deliberation, and we are not looking to change it at this time.
>> 
>>  
>> 
>> We are hoping to publish new, improved definitions on our websites at the 
>> end of the month. Please provide thoughts and comments by Tuesday, July 26.
>> 
>>  
>> 
>> Cheers,
>> 
>> Alec
>> 
>>  
>> 
>> -- 
>> 
>> Alec J. Summers
>> 
>> Center for Securing the Homeland (CSH)
>> 
>> Cyber Security Engineer, Principal
>> 
>> Group Lead, Cybersecurity Operations and Integration
>> 
>> 
>> 
>> MITRE - Solving Problems for a Safer World™
>> 
>> 
>> 
>>

Re: CWE/CAPEC Definitions

2022-07-15 Thread Covert, Ed 
All,
I enjoyed these definitions and the opportunity to provide input. My thoughts 
are below.


  *   Weakness - A flaw or defect overlooked during a product lifecycle that, 
under the right conditions, could contribute to the introduction or exploit of 
vulnerabilities in a range of products made by different vendors, not limited 
to software
  *   Attack Pattern - The common approach and attributes related to the 
exploitation of a weakness or vulnerability, primarily in software, by 
extension in computer hardware and business logic

Thanks,
Ed

Edwin Covert, CISSP-ISSAP, CISM, CRISC, SCF, PMP
Director, Risk Assessments and Testing - WarnerMedia
Kristy McCormac<mailto:kristy.mccor...@warnerbros.com> manages my calendar

818-977-4769
wbd.com

[Warner Bros. Discovery]

Public Key gpg --search-keys --keyserver keys.openpgp.org 
ed.cov...@warnerbros.com<mailto:ed.cov...@warnerbros.com>

Please note: While I may send an email outside of traditional working hours, I 
do NOT expect a response outside of your own.

From: Gutman, Gregoriy (CTR) 
Date: Friday, July 15, 2022 at 7:20 AM
To: Alec J Summers , CAPEC Researcher Discussion 

Subject: RE: CWE/CAPEC Definitions
[CAUTION]
This email originated outside Warner Bros.

Hello Alec, et al,

Here is my attempt at definition improvement of weakness and attack pattern.

Weakness - A flaw or defect overlooked during a product lifecycle that, under 
the right conditions, could contribute to the introduction or exploit of 
vulnerabilities in a range of products made by different vendors, not limited 
to software

Attack Pattern - The common approach and attributes related to the exploitation 
of a weakness, primarily in software, by extension in computer hardware and 
business logic

--
Greg Gutman (CTR), CISSP
Email: 
gregoriy.gut...@associates.fema.dhs.gov<mailto:gregoriy.gut...@associates.fema.dhs.gov>

From: Alec J Summers 
Sent: Wednesday, July 13, 2022 1:09 PM
To: CAPEC Researcher Discussion 
Subject: CWE/CAPEC Definitions

CAUTION: This email originated from outside of DHS. DO NOT click links or open 
attachments unless you recognize and/or trust the sender. Please select the 
Phish Alert Report button on the top right of your screen to report this email 
if it is unsolicited or suspicious in nature.

Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World™

RE: CWE/CAPEC Definitions

2022-07-15 Thread Gutman, Gregoriy (CTR) 
Hello Alec, et al,

Here is my attempt at definition improvement of weakness and attack pattern.

Weakness - A flaw or defect overlooked during a product lifecycle that, under 
the right conditions, could contribute to the introduction or exploit of 
vulnerabilities in a range of products made by different vendors, not limited 
to software

Attack Pattern - The common approach and attributes related to the exploitation 
of a weakness, primarily in software, by extension in computer hardware and 
business logic

--
Greg Gutman (CTR), CISSP
Email: 
gregoriy.gut...@associates.fema.dhs.gov

From: Alec J Summers 
Sent: Wednesday, July 13, 2022 1:09 PM
To: CAPEC Researcher Discussion 
Subject: CWE/CAPEC Definitions

CAUTION: This email originated from outside of DHS. DO NOT click links or open 
attachments unless you recognize and/or trust the sender. Please select the 
Phish Alert Report button on the top right of your screen to report this email 
if it is unsolicited or suspicious in nature.

Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE(r))
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE's definition for 'vulnerability' was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World(tm)