Seifried
Sent: Thursday, July 14, 2022 2:45 PM
To: Hatfield, Arthur
Cc: SJ Jazz ; Rob Wissmann ;
Alec J Summers ; CWE Research Discussion
Subject: Re: CWE/CAPEC Definitions
There’s also changes in standards, expectations and so on. 20 years ago 2FA was
exotic, now it’s common place and in 20
Putting "known" in there still works. It doesn't say publicly known, and known
ability to be exploited for negative impact is still the distinction between
weakness and vulnerability.
From: SJ Jazz
Sent: Thursday, July 14, 2022 1:13 PM
To: Rob Wissmann
Cc: Alec J Summers ; CW
Regarding the circular definitions, it has always struck me that weaknesses are
flaws that may or may not be exploitable to cause negative impact whereas
vulnerabilities are flaws known to be exploitable to cause negative impact.
A rewrite of the definitions to match this concept:
Steven,
Is there any room to update the description or extended description of CWE-436:
Interpretation Conflict to suggest specs or requirements may be at fault for
leaving certain behaviors up the implementation that should not be, leaving
room for interpretation conflicts to occur and become
hts, or
permissions.
The title and description should be reverted to remove conflation of the terms.
Thank you,
Rob Wissmann