Re: FW: are parent relationships required for new entries?
Where do we discuss the process of how CWEs are made and how it can be improved? E.g. this parent process thing. On Tue, Aug 9, 2022 at 9:19 AM Alec J Summers wrote: > Kurt, > > > > Please direct emails regarding submissions to c...@mitre.org, not the > Board email list. > > > > Thank you. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > > > > *From: *Kurt Seifried > *Date: *Tuesday, August 9, 2022 at 11:18 AM > *To: *CWE CAPEC Board > *Subject: *are parent relationships required for new entries? > > Got feedback on one of my entries that includes: > > > > SUB.RELS - "Unclear relationships". Submission suggests some > relationships, but the name/description is not explained in a way in > which the relationship is relevant, or the weakness is apparent, but > it is not clear what the best parent/child relationship(s) would be. > Resolution: the submission cannot progress to publication stage until > more clear relationships and direct parents are identified, but it can > progress to other earlier stages if the CWE Team agrees that the > potential relationships may require closer investigation. > > > > > > Is a parent relationship required for a new entry? What happens if > something completely new is submitted that has no parent? > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
are parent relationships required for new entries?
Got feedback on one of my entries that includes: SUB.RELS - "Unclear relationships". Submission suggests some relationships, but the name/description is not explained in a way in which the relationship is relevant, or the weakness is apparent, but it is not clear what the best parent/child relationship(s) would be. Resolution: the submission cannot progress to publication stage until more clear relationships and direct parents are identified, but it can progress to other earlier stages if the CWE Team agrees that the potential relationships may require closer investigation. Is a parent relationship required for a new entry? What happens if something completely new is submitted that has no parent? -- Kurt Seifried (He/Him) k...@seifried.org
Professional working relationships and codes of conduct
Unfortunately, I’ve had to block Steve Christey Coley on Twitter, I had requested that he drop a legally sensitive subject, both publicly and in a private direct message, but he persisted. I hope this does not affect my working relationship with the CWE board and submissions (which go through him). Thank you. https://twitter.com/kurtseifried/status/1542719920022032389?s=21=rsbqt2J0nnmBM8YXZfSYrQ -- Kurt Seifried (He/Him) k...@seifried.org
Re: Glossary
"process" means executing process, or like a business process, e.g. password reset policy? On Tue, May 24, 2022 at 2:15 PM Jeremy West wrote: > Red Hat adopted the following definition of a weakness a year or so ago. "A > weakness is specifically the absence of a safeguard in an asset or process > that provides a higher potential or frequency of a threat occurring, but > does not meet the exploitability criteria for a vulnerability." We've also > defined vulnerability much more broadly to include weaknesses as a subset > "A weakness or absence of a safeguard in an asset that provides a higher > potential or frequency of a threat occurring." We were running into > differing opinions when we looked at each as separate and unique. The > other factor we've called out internally is hardening. The key difference > between a weakness and hardening for us is that a weakness is a direct > factor in the potential and frequency vs hardening which are safeguards > which prevent. > > On Tue, May 24, 2022 at 12:49 PM Alec J Summers > wrote: > >> Dear CWE/CAPEC Board Members, >> >> >> >> Good afternoon! I hope the week is going well for you all. >> >> >> >> During a recent CWE/CAPEC User Experience Working Group session, the >> topic of definitions came up – more specifically, the difficulty in >> agreeing on good ones and making sure they are understood by downstream >> users. It also reminded me of Pietro’s comment during our February meeting, >> I believe, on the importance of harmonious definitions for similar terms >> across the CVE and CWE/CAPEC sites. To that end, the team went ahead and >> did a quick document authorities search of our key terminology to start >> (i.e., vulnerability, weakness, attack pattern), and suggested the >> following: >> >> >> >> *Term* >> >> *Definition* >> >> *Authority* >> >> *Authorities Doc* >> >> *Vulnerability* >> >> *A flaw in a software, firmware, hardware, or service component resulting >> from a weakness that can be exploited, causing a negative impact to the >> confidentiality, integrity, or availability of an impacted component or >> components. (not changed)* >> >> *CVE* >> >> *website* >> >> *Weakness* >> >> *A type of mistake made during the implementation, design, or other >> phases of a product lifecycle that, under the right conditions, could >> contribute to the introduction of vulnerabilities in a range of products >> made by different vendors.* >> >> *n/a* >> >> *edited from def on CWE wesbite* >> >> *Attack Pattern* >> >> *The common approach and attributes related to the exploitation of a >> known weakness type, usually in cyber-enabled capabilities * >> >> *n/a* >> >> *edited from def on CAPEC website* >> >> >> >> >> >> The full spreadsheet of definitions to compare is attached. The plan >> would be to unify the definitions according to the above across all our >> sites. Would love to hear your thoughts. >> >> >> >> Cheers, >> >> Alec >> >> >> >> -- >> >> *Alec J. Summers* >> >> Center for Securing the Homeland (CSH) >> >> Cyber Security Engineer, Principal >> >> Group Lead, Cybersecurity Operations and Integration >> >> ** >> >> *MITRE - Solving Problems for a Safer World™* >> >> >> >> >> > > > -- > > Jeremy West > > Red Hat Product Security > > Red Hat Massachusetts <https://www.redhat.com> > > 314 Littleton Rd > > jw...@redhat.com > M: 9192686967 IM: hobbit > <https://red.ht/sig> > > > > -- Kurt Seifried (He/Him) k...@seifried.org
special hyphen breaks form
While submitting a CWE today we ran into a major error which I didn't
screen shot, unfortunately, it spat out a server side validation error in
red text.
I thought it might be hyphen related (title in https://rekt.news/ronin-rekt/)
but that appears to maybe not be the issue.
Anyways I reloaded the form, filled it out, changed the hyphen manually to
a normal one and it submitted correctly. Upon testing again with cut and
paste it seems to have submitted ("TEST" so just ignore that entry).
--
Kurt Seifried (He/Him)
k...@seifried.org
Question: definitions for "Modes of Introduction"?
https://cwe.mitre.org/community/submissions/guidelines.html Indicates the point (or points) in the development life cycle during which the weakness may be introduced. The Phase can cover one or more of: Policy, Requirements, Architecture and Design, Implementation, Build and Compilation, Testing, Documentation, Bundling, Distribution, Installation, System Configuration, Operation, Patching and Maintenance, and Porting. Where are these defined? Is it entries like this? https://cwe.mitre.org/data/definitions/16.html Which doesn't really even have a definition per se. -- Kurt Seifried (He/Him) k...@seifried.org
Question: what happened to fields like "Modes of introduction"
Now that I look at the form (https://cwesubmission.mitre.org/) I realize it doesn't ask for "modes of introduction" and indeed about half of the defined fields (Applicable platforms, common consequences, etc.). Are we still using those fields moving forwards? I assume https://cwesubmission.mitre.org/ is the correct format or is the missing stuff populated by MITRE or something else? -- Kurt Seifried (He/Him) k...@seifried.org
Twitter hashtag
So it appears over the last few years that Twitter is about the last public venue for people to announce and discuss vulnerabilities/incidents (e.g. #log4shell). I see a TON of discussions around smart contracts and blockchain stuff that isn't covered in CWE yes. I'm going to start pushing the hashtag #cwerequest so these discussions (about stuff that should have a CWE identifying it) are easier to find and catalog. https://twitter.com/hashtag/cwerequest -- Kurt Seifried (He/Him) k...@seifried.org
Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
Maybe this question was already answered but I can't find it: what's the backend data source? E.g. will the REST API simply provide an interface to the XML download, and then that XML gets updated as MITRE releases new versions? I assume the "source of truth" is still on an internal MITRE system, if so how does that data get to the rest API (do we need an API for that ;). On Fri, Mar 4, 2022 at 12:31 PM Alec J Summers wrote: > Good afternoon, all! > > > > I wanted to clarify one point with respect to the API WG. The group is > open to all community members with interest in participating, and the > deliberations, work, decisions, etc. will be public. While elements of the > CWE/CAPEC sites’ backend infrastructure are not currently open-source, the > REST API itself will be, as well as any reference implementations that the > WG chooses to develop. Most of the REST API development will take place > outside of the MITRE team and so the code will be open source and > integrated with the closed source CWE/CAPEC backend infrastructure. > > > > It is conceivable that all CWE/CAPEC code could one day be open-source, > but that is not the case right now. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Alec J Summers > *Date: *Tuesday, March 1, 2022 at 6:15 PM > *To: *Seifried, Kurt , Adam Cron < > adam.c...@synopsys.com> > *Cc: *CWE CAPEC Board , Hayashi, Kathy < > kat...@qualcomm.com>, Sherman, Brent , Oberg, > Jason > *Subject: *Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation > > Clarification: “working on read access to start.” > > > > Apologies for the miscommunication. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Alec J Summers > *Date: *Tuesday, March 1, 2022 at 5:41 PM > *To: *Seifried, Kurt , Adam Cron < > adam.c...@synopsys.com> > *Cc: *CWE CAPEC Board , Hayashi, Kathy < > kat...@qualcomm.com>, Sherman, Brent , Oberg, > Jason > *Subject: *Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation > > Kurt, > > > > Thanks for your note. This was a question that Adam et al answered in the > document I shared on 2/24. In short, the working group would start working > towards a REST API to start. > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried > *Date: *Tuesday, March 1, 2022 at 5:33 PM > *To: *Adam Cron > *Cc: *Alec J Summers , CWE CAPEC Board < > cwe-capec-board-list@mitre.org>, Hayashi, Kathy , > Sherman, Brent , Oberg, Jason < > ja...@tortugalogic.com> > *Subject: *Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation > > Is this REST API read only, or also write to update CWEs, or? > > > > On Tue, Mar 1, 2022 at 9:23 AM Adam Cron wrote: > > I have no objections. Enclosed is a strawman invitation. Please edit or > comment as you see fit. Please don’t forward it out, yet. > > > > Best regards, > > > > Adam > > > > *From:* Alec J Summers > *Sent:* Tuesday, March 1, 2022 9:45 AM > *To:* CWE CAPEC Board > *Cc:* Adam Cron ; Hayashi, Kathy ; > Sherman, Brent ; Oberg, Jason < > ja...@tortugalogic.com> > *Subject:* Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation > > > > Good morning, all. > > > > I wanted to follow up on this thread and see if there were any other > questions or thoughts for the REST API Working Group proposal. > > > > If not, I wanted to ask if there were any objections to officially > authorize this group to begin discussions and determine the path forward. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Sum
Re: Question about https://cwesubmission.mitre.org/
On Tue, Mar 1, 2022 at 4:19 PM Alec J Summers wrote: > Kurt, > > > > Thanks for your note and patience in my reply. > > > >1. what happens to the data once submitted? I assume some private work >queue at MITRE? > 1. Yes, for our new web submission form’s initial operating > capability, the entries live in a CWE/CAPEC team private queue. Our > first > goal was primarily to simplify the process for users seeking to suggest > new > entries for us. This is preferable to someone filling out the entire > .txt > form, which we request community members not to do before ensuring their > suggestion is a) in scope and b) warrants an entirely new entry. > Relatedly, > we outline in our submission guidelines some of the most common problems > with integrating content suggestions into CWE (direct link to that > section > here: > > https://cwe.mitre.org/community/submissions/guidelines.html#common_problems > > 2. how do I track stuff I submit? Is there a URL I can check? > > >1. Not yet. The team is working on a solution for that. For the rapid > expansion of the HW content, the team used SharePoint with a tracking > spreadsheet, but we want to move beyond that into a more collaborative > and > transparent space. This is an ongoing concern, and we are giving it high > priority. For example, many hardware submissions have larger issues that > require consultation with the HW SIG. > > 1. how many requests are in the queue currently? > > >1. We are not tracking submissions in a way that allows us to easily > generate metrics, as that requires metadata that we have not yet > formalized. We currently have about 10 [software+hardware] "complete" > submissions - that is, submissions that have all the requested fields. > We > also have about 10 hardware and 20 software "bare-bones" submissions - > which usually are barely more than a description and a reference. Almost > all complete submissions have problems related to scope or lack of a > clear > weakness. Almost all bare-bones submissions require extensive analysis > and > original research. We JUST launched the web submission form and we have > thus far received 1 community suggestion through it. > > It sounds like this part would especially benefit from being done in public so more people can participate and flesh these entries out. Especially if they get some credit for it (e.g. a credits section in the CWE for who helped create/write it). > >1. > 1. can we make this more public so people don't submit duplicates, >or if there are similar ones already in the works we can see it? > > >1. Yes, that is our plan. We hope that the overall quality of > submissions will be improved by public review in the early stages. > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried > *Date: *Monday, February 28, 2022 at 11:32 AM > *To: *CWE CAPEC Board > *Subject: *Question about https://cwesubmission.mitre.org/ > > I have some questions about https://cwesubmission.mitre.org/ > > > > 1) what happens to the data once submitted? I assume some private work > queue at MITRE? > > 2) how do I track stuff I submit? Is there a URL I can check? > > 3) how many requests are in the queue currently? > > 4) can we make this more public so people don't submit duplicates, or if > there are similar ones already in the works we can see it? > > > > Thanks > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
gt; Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > > -- > > *Error! Filename not specified.* > > Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604 > > Tortuga Logic > <https://urldefense.com/v3/__http:/www.tortugalogic.com/__;!!A4F2R9G_pg!KhP1Tp0dIAuQOQwjf78PecF8WBfuwNa4sP9WLK03IjU7Hr9AnrUoeHynYR0srqW5IQ$> > | 75 E Santa Clara Street, San Jose, CA 95113 > > > > NOTICE TO RECIPIENT | This email and any attachments may contain private, > confidential and privileged material for the sole use of the intended > recipient. If you are not the intended recipient, please immediately notify > the sender of the error by return email and delete this email and any > attachments. > > > > > -- > > *Error! Filename not specified.* > > Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604 > > Tortuga Logic > <https://urldefense.com/v3/__http:/www.tortugalogic.com/__;!!A4F2R9G_pg!KhP1Tp0dIAuQOQwjf78PecF8WBfuwNa4sP9WLK03IjU7Hr9AnrUoeHynYR0srqW5IQ$> > | 75 E Santa Clara Street, San Jose, CA 95113 > > > > NOTICE TO RECIPIENT | This email and any attachments may contain private, > confidential and privileged material for the sole use of the intended > recipient. If you are not the intended recipient, please immediately notify > the sender of the error by return email and delete this email and any > attachments. > -- Kurt Seifried (He/Him) k...@seifried.org
Question about https://cwesubmission.mitre.org/
I have some questions about https://cwesubmission.mitre.org/ 1) what happens to the data once submitted? I assume some private work queue at MITRE? 2) how do I track stuff I submit? Is there a URL I can check? 3) how many requests are in the queue currently? 4) can we make this more public so people don't submit duplicates, or if there are similar ones already in the works we can see it? Thanks -- Kurt Seifried (He/Him) k...@seifried.org
Re: CWE/CAPEC Board Update and Meeting Availability
Nope, I have a hard cut off of 12:30 Mountain, Mon-Fri until June and possibly for the next school year as well. On Wed, Jan 19, 2022 at 8:44 AM Alec J Summers wrote: > Kurt, > > > > Thanks for your note. I appreciate the challenges you are facing. > > > > Is this resolvable at all by choosing a different day of the week/time of > day? Or, is this going to be a problem in general henceforth until the > school year ends? > > > > Thanks, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > *––––* > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried > *Date: *Wednesday, January 19, 2022 at 10:42 AM > *To: *Marisa Harriston > *Cc: *Gazlay, Jay , CWE CAPEC Board < > cwe-capec-board-list@mitre.org> > *Subject: *Re: CWE/CAPEC Board Update and Meeting Availability > > I can't make any of these due to schedule conflict with my kids (online > school, they need a lot of support). > > > > On Thu, Jan 13, 2022 at 9:12 AM Marisa Harriston > wrote: > > Good morning – For the ‘no response’ category, not receiving a clear vote > (e.g., just receiving a comment about a document) was included. We had > generally heard from each of the individuals without a response about other > topics in recent weeks. > > > > *From:* Gazlay, Jay > *Sent:* Thursday, January 13, 2022 11:08 AM > *To:* Seifried, Kurt ; Marisa Harriston < > mharris...@mitre.org> > *Cc:* CWE CAPEC Board > *Subject:* Re: CWE/CAPEC Board Update and Meeting Availability > > > > Kurt, > > > I got the email and should have abstained. I support the effort, but as > the sponsor feel that I should let the other members of the board have > their voice. > > > Regards, > > > > Jay E. Gazlay > > 202.262.7284 > > Cyber + Infrastructure Security Agency > > “Simplify, then add lightness” > > > -- > > *From:* Kurt Seifried > *Sent:* Thursday, January 13, 2022 10:48 > *To:* Marisa Harriston > *Cc:* CWE CAPEC Board > *Subject:* Re: CWE/CAPEC Board Update and Meeting Availability > > > > *CAUTION: *This email originated from outside of DHS. DO NOT click links > or open attachments unless you recognize and/or trust the sender. Contact > your component SOC with questions or concerns. > > > > Do we know that those 4 people even got the email? > > > > On Thu, Jan 13, 2022 at 8:10 AM Marisa Harriston > wrote: > > Dear CWE/CAPEC Board members, > > > > I hope this message finds you well. Thanks to everyone who voted on the > CWE/CAPEC Board Charter and Code of Conduct over the last several weeks. We > will be uploading the final version of each document to the CWE website > soon. In the meantime, the breakdown of responses was as follows: > > > > Yes: 9 > > Abstain: 1 > > No response: 4 > > > > Finally, please fill out this poll > <https://urldefense.us/v3/__https:/doodle.com/poll/rdhep8z6tepaznkv?utm_source=poll_medium=link__;!!BClRuOV5cvtbuNI!RFqBm3aKKKN3-31f380PbB16Vjenye-cfnrOeIX6wFN_ATB-7Farrkr03wF2Kp_NkpFor-0$> > when you have a moment so that we may schedule February’s Board meeting. > > > > Regards, > > Marisa > > > > > > Marisa Harriston > > The MITRE Corporation > <https://urldefense.us/v3/__http:/www.mitre.org/__;!!BClRuOV5cvtbuNI!RFqBm3aKKKN3-31f380PbB16Vjenye-cfnrOeIX6wFN_ATB-7Farrkr03wF2Kp_NavU3lqU$> > > Human & Organizational Systems > > 703-983-3670 > > > > > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
Re: CWE/CAPEC Board Update and Meeting Availability
I can't make any of these due to schedule conflict with my kids (online school, they need a lot of support). On Thu, Jan 13, 2022 at 9:12 AM Marisa Harriston wrote: > Good morning – For the ‘no response’ category, not receiving a clear vote > (e.g., just receiving a comment about a document) was included. We had > generally heard from each of the individuals without a response about other > topics in recent weeks. > > > > *From:* Gazlay, Jay > *Sent:* Thursday, January 13, 2022 11:08 AM > *To:* Seifried, Kurt ; Marisa Harriston < > mharris...@mitre.org> > *Cc:* CWE CAPEC Board > *Subject:* Re: CWE/CAPEC Board Update and Meeting Availability > > > > Kurt, > > > I got the email and should have abstained. I support the effort, but as > the sponsor feel that I should let the other members of the board have > their voice. > > > Regards, > > > > Jay E. Gazlay > > 202.262.7284 > > Cyber + Infrastructure Security Agency > > “Simplify, then add lightness” > > > -- > > *From:* Kurt Seifried > *Sent:* Thursday, January 13, 2022 10:48 > *To:* Marisa Harriston > *Cc:* CWE CAPEC Board > *Subject:* Re: CWE/CAPEC Board Update and Meeting Availability > > > > *CAUTION: *This email originated from outside of DHS. DO NOT click links > or open attachments unless you recognize and/or trust the sender. Contact > your component SOC with questions or concerns. > > > > Do we know that those 4 people even got the email? > > > > On Thu, Jan 13, 2022 at 8:10 AM Marisa Harriston > wrote: > > Dear CWE/CAPEC Board members, > > > > I hope this message finds you well. Thanks to everyone who voted on the > CWE/CAPEC Board Charter and Code of Conduct over the last several weeks. We > will be uploading the final version of each document to the CWE website > soon. In the meantime, the breakdown of responses was as follows: > > > > Yes: 9 > > Abstain: 1 > > No response: 4 > > > > Finally, please fill out this poll > <https://urldefense.us/v3/__https:/doodle.com/poll/rdhep8z6tepaznkv?utm_source=poll_medium=link__;!!BClRuOV5cvtbuNI!RFqBm3aKKKN3-31f380PbB16Vjenye-cfnrOeIX6wFN_ATB-7Farrkr03wF2Kp_NkpFor-0$> > when you have a moment so that we may schedule February’s Board meeting. > > > > Regards, > > Marisa > > > > > > Marisa Harriston > > The MITRE Corporation > <https://urldefense.us/v3/__http:/www.mitre.org/__;!!BClRuOV5cvtbuNI!RFqBm3aKKKN3-31f380PbB16Vjenye-cfnrOeIX6wFN_ATB-7Farrkr03wF2Kp_NavU3lqU$> > > Human & Organizational Systems > > 703-983-3670 > > > > > > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
Re: CWE/CAPEC Board Update and Meeting Availability
Do we know that those 4 people even got the email? On Thu, Jan 13, 2022 at 8:10 AM Marisa Harriston wrote: > Dear CWE/CAPEC Board members, > > > > I hope this message finds you well. Thanks to everyone who voted on the > CWE/CAPEC Board Charter and Code of Conduct over the last several weeks. We > will be uploading the final version of each document to the CWE website > soon. In the meantime, the breakdown of responses was as follows: > > > > Yes: 9 > > Abstain: 1 > > No response: 4 > > > > Finally, please fill out this poll > <https://doodle.com/poll/rdhep8z6tepaznkv?utm_source=poll_medium=link> > when you have a moment so that we may schedule February’s Board meeting. > > > > Regards, > > Marisa > > > > > > Marisa Harriston > > The MITRE Corporation <http://www.mitre.org/> > > Human & Organizational Systems > > 703-983-3670 > > > > > -- Kurt Seifried (He/Him) k...@seifried.org
Re: Question about the data
On Thu, Nov 18, 2021 at 8:25 AM Alec J Summers wrote:
> Kurt,
>
>
>
> Thanks for your follow-up on this. It’s funny you should mention the
> attribute of entries as this is something that has recently been
> on our radar to recalibrate. The results of the UEWG’s schema element
> card-sorting exercise from this Fall suggested that the community places
> much more weight on this element than the team had expected.
>
>
>
> Overall, we haven’t been actively maintaining or updating the
> attribute of entries in years. Most recent new entries (e.g., much of the
> Hardware content) were originally published and labeled according to the
> schema definitions. Refining entries in the 2021 CWE Most Important
> Hardware Weaknesses List was the first time recently that we have actively
> updated the Status attribute – but only for those 17 entries because we
> filled in missing elements in those entries with the help of the original
> submitters.
>
>
>
> Directly after the UEWG card-sorting survey analysis, we started some
> metrics work to clarify the “completeness” of entries within CWE and CAPEC
> in order to prioritize content improvement efforts. Our plan is to
> integrate this completeness work with a recalibration of all entries’
> Status element, so many entries’ Status may change. Additionally, we intend
> to change the Status values; "Incomplete" is technically correct based on
> our schema definition, but is actively being mis-interpreted by users. The
> team will change the Status enumeration values to more appropriate labels.
>
Can you share those metrics?
>
>
> I am targeting the next releases (Q1 2022) for Status element
> recalibration, attribute value changes, and related updates to the content
> submission guidelines/form.
>
>
>
> Best,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Cyber Solutions Innovation Center
>
> Group Leader, Software Assurance Research & Practice
>
> Cyber Security Engineer, Lead
>
> O: (781) 271-6970
>
> C: (781) 496-8426
>
> **
>
> *MITRE - Solving Problems for a Safer World*
>
>
>
>
>
> *From: *Kurt Seifried
> *Date: *Wednesday, November 17, 2021 at 12:59 PM
> *To: *Alec J Summers
> *Cc: *CWE CAPEC Board
> *Subject: *Re: Question about the data
>
> Ahh ok, I was just looking at " file but only about halfway, which is all Weaknesses until you hit 90%).
> With the Category/Views added the numbers add up. My next question would be
> what does it take to get an entry from Draft/Incomplete to Stable?
>
>
>
> 61 Status="Deprecated"
>
> 514 Status="Draft"
>
> 607 Status="Incomplete"
>
> 96 Status="Obsolete"
>
> 79 Status="Stable"
>
>
>
> The schema says:
>
>
>
> A value of Incomplete means that the entity does not have all important
> elements filled, and there is no guarantee of quality. A value of Draft
> refers to an entity that has all important elements filled, and critical
> elements such as Name and Description are reasonably well-written; the
> entity may still have important problems or gaps. A value of Usable refers
> to an entity that has received close, extensive review, with critical
> elements verified. A value of Stable indicates that all important elements
> have been verified, and the entry is unlikely to change significantly in
> the future. Note that the quality requirements for Draft and Usable status
> are very resource-intensive to accomplish, while some Incomplete and Draft
> entries are actively used by the general public; so, this status
> enumeration might change in the future.
>
>
>
> E.g. https://cwe.mitre.org/community/submissions/guidelines.html doesn't
> list which are important/etc.
>
>
>
> and does it matter at all or is good enough ok? ("while some Incomplete
> and Draft entries are actively used by the general public" would be the
> common case).
>
>
>
> On Wed, Nov 17, 2021 at 6:50 AM Alec J Summers wrote:
>
> Kurt,
>
>
>
> Good morning, and thanks for your note. I wanted to double check with the
> team on this and was able to confirm my supposition.
>
>
>
> As you know, some CWE entries are ‘Weaknesses’, whereas others are
> ‘Categories’, and others are ‘Views’.
>
>
>
> The CWE XML – as specified in the schema – first lists all weaknesses
> (under the element), then all categories (under the
> element), etc.
>
>
>
> You can confirm that CWE-2 is in the downloaded XML by doing a simple grep
> for ‘ID=”2”’ and noting that there is an element with the following line:
>
>
>
>
Re: Question about the data
Ahh ok, I was just looking at "https://cwe.mitre.org/community/submissions/guidelines.html doesn't
list which are important/etc.
and does it matter at all or is good enough ok? ("while some Incomplete and
Draft entries are actively used by the general public" would be the common
case).
On Wed, Nov 17, 2021 at 6:50 AM Alec J Summers wrote:
> Kurt,
>
>
>
> Good morning, and thanks for your note. I wanted to double check with the
> team on this and was able to confirm my supposition.
>
>
>
> As you know, some CWE entries are ‘Weaknesses’, whereas others are
> ‘Categories’, and others are ‘Views’.
>
>
>
> The CWE XML – as specified in the schema – first lists all weaknesses
> (under the element), then all categories (under the
> element), etc.
>
>
>
> You can confirm that CWE-2 is in the downloaded XML by doing a simple grep
> for ‘ID=”2”’ and noting that there is an element with the following line:
>
>
>
>
>
>
>
> We have downloaded the latest cwec file using the URL that you specified
> and confirmed the existence of CWE-2.
>
>
>
> You can use the following command line to see all the listed entries
> (tested on Red Hat Linux):
>
>
>
> egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml
>
>
>
> To confirm that CWE-1 is present, try the following command:
>
>
>
>egrep '<(Weakness|Category|View).*ID="[0-9]+"' cwec_v4.6.xml | egrep
> 'ID="1"
>
>
>
> The total list of deprecated entries (23 weaknesses, 35 categories, and 3
> views – total of 61) can be viewed here:
> https://cwe.mitre.org/data/definitions/604.html
>
>
>
> Best,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Cyber Solutions Innovation Center
>
> Group Leader, Software Assurance Research & Practice
>
> Cyber Security Engineer, Lead
>
> O: (781) 271-6970
>
> C: (781) 496-8426
>
> **
>
> *MITRE - Solving Problems for a Safer World*
>
>
>
>
>
> *From: *Kurt Seifried
> *Date: *Tuesday, November 16, 2021 at 8:48 PM
> *To: *CWE CAPEC Board
> *Subject: *Question about the data
>
> I just grabbed the XML data (
> https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking
> through it, by ID, so from the start e.g.:
>
>
>
> 5
>
> 6
>
> 7
>
> 8
>
> 9
>
> 11
>
> 12
>
> 13
>
> 14
>
> 15
>
> 20
>
>
>
> And some are missing, when I went and looked I got:
>
>
>
> https://cwe.mitre.org/data/definitions/1.html
>
> deprecated (makes sense)
>
>
>
> https://cwe.mitre.org/data/definitions/2.html
>
> CWE CATEGORY: 7PK - Environment
>
>
>
> https://cwe.mitre.org/data/definitions/3.html
>
> https://cwe.mitre.org/data/definitions/4.html
>
> deprecated (makes sense)
>
>
>
> I'm wondering what the deal with CWE-2 is, it's clearly not terribly
> useful, but it's.. sort of alive? Dead? Zombie?
>
>
>
> The CWE ID's go up to 1351 and of those there are 947 live ones, does that
> sound right (so 400+ are deprecated?).
>
>
>
> --
>
> Kurt Seifried (He/Him)
> k...@seifried.org
>
--
Kurt Seifried (He/Him)
k...@seifried.org
Question about the data
I just grabbed the XML data ( https://cwe.mitre.org/data/xml/cwec_latest.xml.zip) and was looking through it, by ID, so from the start e.g.: 5 6 7 8 9 11 12 13 14 15 20 And some are missing, when I went and looked I got: https://cwe.mitre.org/data/definitions/1.html deprecated (makes sense) https://cwe.mitre.org/data/definitions/2.html CWE CATEGORY: 7PK - Environment https://cwe.mitre.org/data/definitions/3.html https://cwe.mitre.org/data/definitions/4.html deprecated (makes sense) I'm wondering what the deal with CWE-2 is, it's clearly not terribly useful, but it's.. sort of alive? Dead? Zombie? The CWE ID's go up to 1351 and of those there are 947 live ones, does that sound right (so 400+ are deprecated?). -- Kurt Seifried (He/Him) k...@seifried.org
Re: Board Charter draft 1.1 - for review
Can we throw this into OneDrive or something? I can host it if needed. On Fri, Oct 8, 2021 at 10:52 AM Alec J Summers wrote: > Dear Board members, > > > > Happy Friday! I hope you are all well. > > > > As promised, I have attached a new version of the draft charter for your > perusal. I have incorporated the changes that we debated earlier in the > week as well as some to the later sections that we did not yet have the > chance to discuss. > > > > Please take a look and let me know if you would like to put forth any > adjustments. Note, section 2.5 refers to the professional conduct guidance > – it is important for all Board members to review the Contributor Covenant ( > https://www.contributor-covenant.org/version/2/1/code_of_conduct/) and > decide whether we wish to proceed with adopting it for our purposes in this > domain or if we would like to use our own Professional Code of Conduct > tailored from that of CVE. > > > > Please give me your feedback on the charter and the Code of Conduct topic > by Friday, October 22. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > -- Kurt Seifried (He/Him) k...@seifried.org
Re: CWE submission form
The authoritative URL is: https://csaurl.org/blockchain-vulnerabilities points to a google sheet right now, long term once it settles down it'll hopefully be something else like github. Some of these map to existing CWE and are flavours/maybe children, and some are completely new like "vote token trapping" or "Smart Contract Unprotected SELFDESTRUCT Instruction" On Wed, Oct 6, 2021 at 11:18 AM Alec J Summers wrote: > Kurt, > > > > Apologies for the secondary note, but I wanted to follow up and clarify > something. > > > > To your comment: “I have some more questions but I'm finally getting > around to my list of 200 vulns about 1/4 to 1/2 of which should probably be > added to CWE and trying to figure out how to do this efficiently.” > > > > Do you think that ¼ to ½ of these 200 vulns should be NEW entries in CWE > or simply mapped to existing entries? > > > > Having asked that, I wouldn’t want you to invest the huge amount of time > of filling out forms (txt, web, or otherwise) for such a set. I think it > would be better to perhaps share some of the key items (name, desc, > references) for some of the entries you think might be new additions to the > corpus as a way to start the conversation. > > > > I also wanted to point you to the further guidelines for submissions in > addition to the txt form itself (note, these are pointed to on the form as > well): > > Guidelines for individual elements: > https://cwe.mitre.org/community/submissions/guidelines.html#guidelines > > Common problems encountered with poor submissions: > https://cwe.mitre.org/community/submissions/guidelines.html#problems > > > > Best, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Alec J Summers > *Date: *Wednesday, October 6, 2021 at 12:16 PM > *To: *Seifried, Kurt , CWE CAPEC Board < > cwe-capec-board-list@mitre.org> > *Cc: *Bressers, Josh , Steven M Christey , > David B Rothenberg > *Subject: *Re: CWE submission form > > Kurt, > > > > Thanks for your note and patience in my reply. Yes, your message was > received :-) > > > > This text form was our initial solution for standing up a solution to > ingest entries during the rapid growth of CWE HW content. It was not meant > to be a long-term solution, although it has worked fairly well, to be > honest. We have actively finalizing a more broad, web-submission form to > hopefully be included in the new minor release at the end of the month. > That is my goal. > > > > That being said , to your specific questions: > >1. “oa Name” >This is a typo that should read “a Name” – we will resolve >2. Code language: >This is not comprehensive list, and we can add new languages to this >enumeration list where needed. Some that immediately come to mind are Go, >Rust, etc. In the corpus, it’s always a balance of simply adding “mappings” >(e.g., adding “Go” to the language element of an existing weakness) and new >demonstrative examples with enumerating NEW weaknesses in newly enumerated >languages. This requires subject matter experts and time, of course, but it >is certainly something we want to do. I’d love to leverage the community, >if possible, to identify opportunities here to expand content in these >languages. This has not arisen with this form before, but one work around >would be to simply add some language for an option to provide a new >language not in the list. >3. Images: we actually added a new capability to incorporate a png >image to an entry. See: >https://cwe.mitre.org/data/definitions/1256.html > > > > Does this help? > > > > I can get updates to the form and changed in the near future to reflect > #1-3 above in the text form for now. Again, we hope to have the > web-submission form available on the site soon. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Cyber Solutions Innovation Center > > Group Leader, Software Assurance Research & Practice > > Cyber Security Engineer, Lead > > O: (781) 271-6970 > > C: (781) 496-8426 > > ** > > *MITRE - Solving Problems for a Safer World* > > > > > > *From: *Kurt Seifried > *Date: *Wednesday, October 6, 2021 at 11:49 AM > *To: *CWE CAPEC Board &
Re: CWE submission form
Did this email get received? Can we do anything about this? I'm thinking at a minimum of a simple JSON format instead of that txt file. On Fri, Oct 1, 2021 at 11:40 AM Kurt Seifried wrote: > Regarding the CWE submission form > > https://cwe.mitre.org/community/submissions/guidelines.html > > specifically > > https://cwe.mitre.org/community/submissions/CWE_Submission_Form.txt > > it... uses ascii art boxes/etc, > > Also instructions are unclear: "Your entry should include either oa > Name(s) or Class for each element, but not both." > > What is an oa Name(s)? > > As for the Language Name/OS/etc there are lists, are these comprehensive > or can we add to them? e.g.: > > Language Name: Ada, ASP, ASP.NET, Basic, C, COBOL, C++, C#, Fortran, F#, > HTML, Java, Javascript, JSP, Objective-C, Pascal, Perl, PHP, Python, Ruby, > SQL, Shell, Swift, VB.Net, XML, Other > Language Class: Assembly, Compiled, Interpreted, Language-Independent > > Also it says: > > "At this time, The CWE team is unable to include diagrams on CWE entry > pages, but we are looking into incorporating them in the future." > > is there any ETA on this? > > I have some more questions but I'm finally getting around to my list of > 200 vulns about 1/4 to 1/2 of which should probably be added to CWE and > trying to figure out how to do this efficiently. Thanks > > > -- > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org
CWE submission form
Regarding the CWE submission form https://cwe.mitre.org/community/submissions/guidelines.html specifically https://cwe.mitre.org/community/submissions/CWE_Submission_Form.txt it... uses ascii art boxes/etc, Also instructions are unclear: "Your entry should include either oa Name(s) or Class for each element, but not both." What is an oa Name(s)? As for the Language Name/OS/etc there are lists, are these comprehensive or can we add to them? e.g.: Language Name: Ada, ASP, ASP.NET, Basic, C, COBOL, C++, C#, Fortran, F#, HTML, Java, Javascript, JSP, Objective-C, Pascal, Perl, PHP, Python, Ruby, SQL, Shell, Swift, VB.Net, XML, Other Language Class: Assembly, Compiled, Interpreted, Language-Independent Also it says: "At this time, The CWE team is unable to include diagrams on CWE entry pages, but we are looking into incorporating them in the future." is there any ETA on this? I have some more questions but I'm finally getting around to my list of 200 vulns about 1/4 to 1/2 of which should probably be added to CWE and trying to figure out how to do this efficiently. Thanks -- Kurt Seifried (He/Him) k...@seifried.org
Re: Proposed action: Establishing CWE/CAPEC Crypto Working Group
Some problems have a set of relatively simple solutions like a lot of web problems boil down to using a good framework so SQL injection, XSS and so on mostly go away and get patched from the project responsible for the framework. Picking a good framework is often left as an exercise for the reader, but there is some simple/common prescriptive advice (like how to check project health, security maturity, etc.). Some problems, like logic errors, have "simple" solutions in the sense of you just need to map out the control/logic flow and then implement it correctly (see? simple!) but the actual process to do so varies hugely. I would suggest that some advice needs to be given otherwise people end up in stackoverflow looking at out-of-date questions/answers and... yeah. We all know where that ends up. -Kurt On Sep 8, 2021, at 1:20 PM, Chris Eng wrote: Is it the goal of CWE to provide prescriptive guidance on these things? If so, then you might need a working group to keep up with developments in the space, since NIST updates infrequently and usually lags behind industry best practices. Or is it enough just to have categories for insecure algorithm, insecure hashing, predictable PRNG, etc. without getting into the weeds? If our aim is simply to categorize weaknesses, then keeping up with implementation details might be out of scope. I am not opposed to it but would like to better understand what problem you are trying to solve here. *From:* Alec J Summers *Sent:* Wednesday, September 8, 2021 11:11 AM *To:* CWE CAPEC Board *Subject:* [EXTERNAL] Proposed action: Establishing CWE/CAPEC Crypto Working Group *This email originated from outside of Veracode.* -- Dear Board Members, Good morning! I hope you all had an excellent holiday weekend. I wanted to update you all on a plan of action around establishing a cryptography working group. Unlike many other topics covered by CWE, cryptography requires highly specialized knowledge to perform correctly. Since CWE's early days, that knowledge has evolved, but CWE entries have not kept up with the pace of change. The CWE crypto team is nearing a point in which it must make decisions about how to represent and organize certain concepts in ways that are understandable to developers while being consistent with current perspectives and principles within the cryptography community. Accordingly, a CWE working group could provide focused discussion to give confidence that changes will be beneficial to CWE users. A cryptography working group would be very helpful to the modernization of CWE with respect to cryptography, key management, hashing, randomness/predictability, and other related concepts. The group could be drawn from CWE crypto team members, interested parties from the CWE research list, people who have provided feedback on earlier questions from the crypto team, and focused outreach to knowledgeable individuals from academia, NIST, and security consultants. The working group might start off informally with e-mail discussion on broader modernization strategies for CWE with respect to crypto, then diving into individual topics needing resolution and discussion. A monthly meeting might be appropriate for richer discussion. It is not clear how long this working group would be necessary, but regular discussions might be necessary until at least April 2021. Its benefits would pay off immediately, possibly influencing changes in CWE 4.6, scheduled for release in late October. Please let me know if you have any thoughts or objections to this plan of action. Cheers, Alec p.s. If you haven’t had a chance to provide feedback to the DRAFT CWE/CAPEC Board Charter, please do so by 9/13. -- *Alec J. Summers* Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 ** *MITRE - Solving Problems for a Safer World*
Re: Now Available for Review: CWE/CAPEC Board Charter
Ok some feedback/comments: 1.3.2 Multiple Members from the Same Organization Therefore, as a single organization with more than one Board member, only one of the Board member’s may vote unless an exception is granted by the Board (2.13 Charter Exceptions). What happens if the two (or more) members all decide to vote and can't work it out amongst themselves, do the votes not get counted, or? 1.5 CWE/CAPEC Program Terms of Use https://cwe.mitre.org/about/termsofuse.html Do we need a formal copyright assignment agreement for this? 2.1.2 Board Review and Vote When a new Board member is nominated, an interview is conducted during an agreed-to Board call. Can I suggest this also be done/replaced by email? Limiting it to a single call only means a lot of people may not be able to make it due to time zones/scheduling conflicts. 2.4 Change in Member’s Affiliation A Board member who has a change in organizational affiliation must notify the Secretariat of the change. Once received, the Secretariat updates the CWE website to reflect the member’s change in affiliation. If a Board member’s parent organization does not want to be listed as affiliated with a Board member, the Secretariat will change the member’s affiliation to “Independent.” Does the "two or more people from one org" rules still apply if one or more of the people choose to be "Independent"? 2.5 Board Member Professional Conduct Guidance All Board members must follow the CVE Program Professional Code of Conduct. https://cve.mitre.org/about/professional_code_of_conduct.html I assume a copy of this will be made with CVE/CWE search and replace? 2.6 Removing Board Members lack of collegiality or professional conduct collegiality isn't defined and I'm not sure it's needed? 2.11 Board Meetings 2.11.1 Executive Sessions Can I suggest we also send out the Agenda early (weeks in advance if possible) so the discussion can happen via email for people who can't make the call? 2.12.1 Disbanding or Pausing Working Groups Is the WG content/work/etc. archived and made public, deleted, or? On Tue, Aug 31, 2021 at 7:48 AM Marisa Harriston wrote: > Dear CWE/CAPEC Board Members, > > > > I hope that your week is off to a great start. We are pleased to share a > draft of the CWE/CAPEC Board Charter with you. Please review this document, > and share your feedback by COB on *Monday, September 13th*. Feel free to > follow up with any questions or concerns. > > > > Also, if you haven’t already done so, please let us know which times will > work best <https://doodle.com/poll/5zwuxw2baxvaaewp> for the next Board > meeting in November. > > > > Thanks in advance, > > Marisa > > > > Marisa Harriston > > Sr. Communications & Outreach Strategist > > National Cybersecurity FFRDC at MITRE > > *Mobile:* 571-634-0971 > > > > > > [image: LinkedIn Logo] <https://www.linkedin.com/company/mitre>[image: > Twitter Logo] <https://twitter.com/MITREcorp> [image: Youtube logo] > <https://www.youtube.com/user/mitrecorp> [image: Facebook Logo] > <https://www.facebook.com/MITREcorp> [image: Instagram Logo] > <https://www.instagram.com/mitre.corp/?hl=en> > > > [image: MITRE Logo] > > > > > -- Kurt Seifried (He/Him) k...@seifried.org
