Should we also acknowledge regulated industries/law, e.g.
causing a negative impact to the confidentiality, integrity, or
availability of an impacted component or components, and/or violating a
given security policy/law/regulation that applies to the affected entity.
On Mon, Sep 12, 2022 at 1:55 PM Alec J Summers wrote:
> Dear CWE/CAPEC Community,
>
>
>
> Earlier this summer I emailed you regarding the CWE/CAPEC User Experience
> Working Group’s efforts to harmonize the definitions of some key
> terminology across our sites. As CWE and CAPEC were developed separately
> and on a different timeline, some of the terms are not similarly defined,
> and we want to address that.
>
>
>
> Thank you for your thoughtful and considered feedback to my first request
> for comment on this topic. We received the most feedback on the definition
> of “weakness”. The UEWG and the CWE/CAPEC team has used that in our
> development of a new definition:
>
>
>
> *Weakness*: *A condition in a software, firmware, hardware, or service
> component that, under the right circumstances, could contribute to the
> introduction of vulnerabilities*
>
>
>
> If adopted, this would be accompanied by the following two definitions for
> ‘attack pattern’ and ‘vulnerability’, respectively.
>
>
>
> *Attack Pattern: **The common approach and attributes related to the
> exploitation of a weakness, usually in cyber-enabled capabilities*
>
>
>
> *Vulnerability*: *A flaw in a software, firmware, hardware, or service
> component resulting from a weakness that can be exploited, causing a
> negative impact to the confidentiality, integrity, or availability of an
> impacted component or components. *(from CVE® and not in consideration
> for modification)
>
>
>
> We are eager to hear your thoughts, and we look forward to formalizing
> this change on our sites soon.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>
--
Kurt Seifried (He/Him)
k...@seifried.org