Re: CWE/CAPEC definitions update

2022-09-13 Thread Kurt Seifried
Should we also acknowledge regulated industries/law, e.g.

causing a negative impact to the confidentiality, integrity, or
availability of an impacted component or components, and/or violating a
given security policy/law/regulation that applies to the affected entity.

On Mon, Sep 12, 2022 at 1:55 PM Alec J Summers  wrote:

> Dear CWE/CAPEC Community,
>
>
>
> Earlier this summer I emailed you regarding the CWE/CAPEC User Experience
> Working Group’s efforts to harmonize the definitions of some key
> terminology across our sites. As CWE and CAPEC were developed separately
> and on a different timeline, some of the terms are not similarly defined,
> and we want to address that.
>
>
>
> Thank you for your thoughtful and considered feedback to my first request
> for comment on this topic. We received the most feedback on the definition
> of “weakness”. The UEWG and the CWE/CAPEC team has used that in our
> development of a new definition:
>
>
>
> *Weakness*: *A condition in a software, firmware, hardware, or service
> component that, under the right circumstances, could contribute to the
> introduction of vulnerabilities*
>
>
>
> If adopted, this would be accompanied by the following two definitions for
> ‘attack pattern’ and ‘vulnerability’, respectively.
>
>
>
> *Attack Pattern: **The common approach and attributes related to the
> exploitation of a weakness, usually in cyber-enabled capabilities*
>
>
>
> *Vulnerability*: *A flaw in a software, firmware, hardware, or service
> component resulting from a weakness that can be exploited, causing a
> negative impact to the confidentiality, integrity, or availability of an
> impacted component or components. *(from CVE® and not in consideration
> for modification)
>
>
>
> We are eager to hear your thoughts, and we look forward to formalizing
> this change on our sites soon.
>
>
>
> Cheers,
>
> Alec
>
>
>
> --
>
> *Alec J. Summers*
>
> Center for Securing the Homeland (CSH)
>
> Cyber Security Engineer, Principal
>
> Group Lead, Cybersecurity Operations and Integration
>
> **
>
> *MITRE - Solving Problems for a Safer World™*
>
>
>
>
>


-- 
Kurt Seifried (He/Him)
k...@seifried.org


CWE/CAPEC definitions update

2022-09-12 Thread Alec J Summers
Dear CWE/CAPEC Community,

Earlier this summer I emailed you regarding the CWE/CAPEC User Experience 
Working Group’s efforts to harmonize the definitions of some key terminology 
across our sites. As CWE and CAPEC were developed separately and on a different 
timeline, some of the terms are not similarly defined, and we want to address 
that.

Thank you for your thoughtful and considered feedback to my first request for 
comment on this topic. We received the most feedback on the definition of 
“weakness”. The UEWG and the CWE/CAPEC team has used that in our development of 
a new definition:

Weakness: A condition in a software, firmware, hardware, or service component 
that, under the right circumstances, could contribute to the introduction of 
vulnerabilities

If adopted, this would be accompanied by the following two definitions for 
‘attack pattern’ and ‘vulnerability’, respectively.

Attack Pattern: The common approach and attributes related to the exploitation 
of a weakness, usually in cyber-enabled capabilities

Vulnerability: A flaw in a software, firmware, hardware, or service component 
resulting from a weakness that can be exploited, causing a negative impact to 
the confidentiality, integrity, or availability of an impacted component or 
components. (from CVE® and not in consideration for modification)

We are eager to hear your thoughts, and we look forward to formalizing this 
change on our sites soon.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration

MITRE - Solving Problems for a Safer World™