Dear CWE/CAPEC Board Members,
Good afternoon! I hope the week is going well for you all.
During a recent CWE/CAPEC User Experience Working Group session, the topic of
definitions came up – more specifically, the difficulty in agreeing on good
ones and making sure they are understood by
Hi Alec and all,
Happy to hear there is an initiative to help align these definitions. I
know it's a very common confusion point for many.
A couple of thoughts/comments from me:
- In the weakness definition the word "mistake" throws me off a bit
because that implies there was awareness of
Red Hat adopted the following definition of a weakness a year or so ago. "A
weakness is specifically the absence of a safeguard in an asset or process
that provides a higher potential or frequency of a threat occurring, but
does not meet the exploitability criteria for a vulnerability." We've
Jeremy, welcome!
I like the idea of defining a weakness wrt to a protection for an asset.
The protection could have weaknesses because of mistakes, forgetfulness, or
any other reason (e.g. environment). An asset-based definition fits really
well for hardware and I think for a lot of software, but