Re: CWE-653 name

2022-07-01 Thread Yacouba Bamba 
Isolation or compartmentalization are just means or if you like techniques
to achieve the pursuied goal.

Kind regards,

Yacouba Bamba


Le ven. 1 juil. 2022, 06:57, Yacouba Bamba  a écrit :

> Hi
>
> There is no issue with the description imo.
> Proper "Isolation" can be achieved with very good "compartmentalization".
> If that is correct, I guess the main idea behind this is to strictly give
> access to available data and or ressource to only authorized users.
> "Distincts Environnements" for distincts users, hence, isolate
> "Environnements" from one another. To achieve this you'll use
> compartmentalization don't you ?
>
>
> Le mar. 28 juin 2022, 21:16, Rob Wissmann  a
> écrit :
>
>> Hi,
>>
>>
>>
>> I have a comment about last October’s name change for CWE-653 from
>> “Insufficient Compartmentalization” to “Improper Isolation or
>> Compartmentalization”. The addition of “Isolation” alters the meaning of
>> the CWE in a way that I’m not sure was intended.
>>
>>
>>
>> Compartmentalization is strictly about segmenting functionality or
>> resources such that privileges may be scoped to them, as described in the
>> notes section of CWE-653:
>>
>>
>>
>> There is a close association with CWE-250
>>  (Execution with
>> Unnecessary Privileges). CWE-653
>>  is about providing
>> separate components for each "privilege"; CWE-250
>>  is about ensuring that
>> each component has the least amount of privileges possible. In this
>> fashion, compartmentalization becomes one mechanism for reducing privileges.
>>
>>
>>
>> Isolation has a broader meaning than compartmentalization, it is
>> inclusive of the privilege set assigned to the component and centered
>> around particular types of privilege/access. For example, splitting
>> functionality into two processes is compartmentalization. Applying access
>> controls to ensure that only one process has database write access is an
>> example of isolation built on compartmentalization.
>>
>>
>>
>> “Compartmentalization” and “isolation” mean different things. The
>> addition of “Isolation” to the title of CWE-653 conflates the two, making
>> it seem like they are synonyms. The description also is worded as if the
>> two are interchangeable:
>>
>>
>>
>> The product does not properly compartmentalize or isolate functionality,
>> processes, or resources that require different privilege levels, rights, or
>> permissions.
>>
>>
>>
>> The title and description should be reverted to remove conflation of the
>> terms.
>>
>>
>>
>> Thank you,
>>
>> Rob Wissmann
>>
>

Re: CWE-653 name

2022-06-30 Thread Yacouba Bamba 
Hi

There is no issue with the description imo.
Proper "Isolation" can be achieved with very good "compartmentalization".
If that is correct, I guess the main idea behind this is to strictly give
access to available data and or ressource to only authorized users.
"Distincts Environnements" for distincts users, hence, isolate
"Environnements" from one another. To achieve this you'll use
compartmentalization don't you ?


Le mar. 28 juin 2022, 21:16, Rob Wissmann  a
écrit :

> Hi,
>
>
>
> I have a comment about last October’s name change for CWE-653 from
> “Insufficient Compartmentalization” to “Improper Isolation or
> Compartmentalization”. The addition of “Isolation” alters the meaning of
> the CWE in a way that I’m not sure was intended.
>
>
>
> Compartmentalization is strictly about segmenting functionality or
> resources such that privileges may be scoped to them, as described in the
> notes section of CWE-653:
>
>
>
> There is a close association with CWE-250
>  (Execution with
> Unnecessary Privileges). CWE-653
>  is about providing
> separate components for each "privilege"; CWE-250
>  is about ensuring that
> each component has the least amount of privileges possible. In this
> fashion, compartmentalization becomes one mechanism for reducing privileges.
>
>
>
> Isolation has a broader meaning than compartmentalization, it is inclusive
> of the privilege set assigned to the component and centered around
> particular types of privilege/access. For example, splitting functionality
> into two processes is compartmentalization. Applying access controls to
> ensure that only one process has database write access is an example of
> isolation built on compartmentalization.
>
>
>
> “Compartmentalization” and “isolation” mean different things. The addition
> of “Isolation” to the title of CWE-653 conflates the two, making it seem
> like they are synonyms. The description also is worded as if the two are
> interchangeable:
>
>
>
> The product does not properly compartmentalize or isolate functionality,
> processes, or resources that require different privilege levels, rights, or
> permissions.
>
>
>
> The title and description should be reverted to remove conflation of the
> terms.
>
>
>
> Thank you,
>
> Rob Wissmann
>

Re: CWE-653 name

2022-06-30 Thread David A. Wheeler 


> On Jun 30, 2022, at 11:49 AM, Kurt Seifried  wrote:
> 
> One thing I'm noticing when I search the CWE database:
> 
> It's a nightmare. Really bad. Like... is the keyword I want "identical", 
> "shared", "reused"...
> ...
> 
> I think we should worry a LOT less about getting the perfect short/exact 
> wording and more about descriptive titles and text that people can actually 
> find and use.

I agree that longer titles, to clarify the topic, are more important than 
shortness.
More words also make it easier for search engines (like Google's) to find it.

In addition, adding more text in the detailed description to explain 
alternative terms might
also help when searching.

--- David A. Wheeler

Re: CWE-653 name

2022-06-30 Thread Kurt Seifried 
One thing I'm noticing when I search the CWE database:

It's a nightmare. Really bad. Like... is the keyword I want "identical",
"shared", "reused"...

I've noticed Amazon products are basically SEO buzzword bingo:

Wonder Space Soft Pit Balls, Chemical-Free Crush Proof Plastic Ocean Ball,
BPA Free with No Smell, Safe for Toddler Ball Pit/ Kiddie Pool/ Indoor Baby
Playpen

I'm not saying we should go this far, but making CWE more searchable by
including more keywords, or a search keywords field or something would sure
help.

In your case:

“Compartmentalization” and “isolation” mean different things.

Well, yes, probably, because they're different words. But what definitions
are you using? Websters? OED?

I think we should worry a LOT less about getting the perfect short/exact
wording and more about descriptive titles and text that people can actually
find and use.

On Tue, Jun 28, 2022 at 1:16 PM Rob Wissmann 
wrote:

> Hi,
>
>
>
> I have a comment about last October’s name change for CWE-653 from
> “Insufficient Compartmentalization” to “Improper Isolation or
> Compartmentalization”. The addition of “Isolation” alters the meaning of
> the CWE in a way that I’m not sure was intended.
>
>
>
> Compartmentalization is strictly about segmenting functionality or
> resources such that privileges may be scoped to them, as described in the
> notes section of CWE-653:
>
>
>
> There is a close association with CWE-250
>  (Execution with
> Unnecessary Privileges). CWE-653
>  is about providing
> separate components for each "privilege"; CWE-250
>  is about ensuring that
> each component has the least amount of privileges possible. In this
> fashion, compartmentalization becomes one mechanism for reducing privileges.
>
>
>
> Isolation has a broader meaning than compartmentalization, it is inclusive
> of the privilege set assigned to the component and centered around
> particular types of privilege/access. For example, splitting functionality
> into two processes is compartmentalization. Applying access controls to
> ensure that only one process has database write access is an example of
> isolation built on compartmentalization.
>
>
>
> “Compartmentalization” and “isolation” mean different things. The addition
> of “Isolation” to the title of CWE-653 conflates the two, making it seem
> like they are synonyms. The description also is worded as if the two are
> interchangeable:
>
>
>
> The product does not properly compartmentalize or isolate functionality,
> processes, or resources that require different privilege levels, rights, or
> permissions.
>
>
>
> The title and description should be reverted to remove conflation of the
> terms.
>
>
>
> Thank you,
>
> Rob Wissmann
>


-- 
Kurt Seifried (He/Him)
k...@seifried.org