Hi Alec and all, Happy to hear there is an initiative to help align these definitions. I know it's a very common confusion point for many.
A couple of thoughts/comments from me: - In the weakness definition the word "mistake" throws me off a bit because that implies there was awareness of the issue and an intent to not make it. But many weaknesses appear just because individuals are completely unaware. I'm trying to think of another word, but what is on the CWE site I do like at first glance: "...flaws, faults, bugs, or other errors in software or hardware implementation, code, design, or architecture..." There's probably a compromise in there that's shorter... - I also think showing how Vulnerabilities, Weaknesses, and Attack Patterns relate to one another with a single picture would be really powerful and helpful for the community. I see the vulnerabilities as the focal point, with a set of weaknesses contributing to the vulnerability, and attack patterns forming how those weaknesses are exploited. So maybe a "funnel" with a vulnerability at the end, weaknesses spread across the input, and a cross section of attacks stringing those weaknesses together. We could surely debate the specific representation of this, but I do think a picture would be very helpful. Regards, Jason On Tue, May 24, 2022 at 9:49 AM Alec J Summers <[email protected]> wrote: > Dear CWE/CAPEC Board Members, > > > > Good afternoon! I hope the week is going well for you all. > > > > During a recent CWE/CAPEC User Experience Working Group session, the topic > of definitions came up – more specifically, the difficulty in agreeing on > good ones and making sure they are understood by downstream users. It also > reminded me of Pietro’s comment during our February meeting, I believe, on > the importance of harmonious definitions for similar terms across the CVE > and CWE/CAPEC sites. To that end, the team went ahead and did a quick > document authorities search of our key terminology to start (i.e., > vulnerability, weakness, attack pattern), and suggested the following: > > > > *Term* > > *Definition* > > *Authority* > > *Authorities Doc* > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components. (not changed)* > > *CVE* > > *website* > > *Weakness* > > *A type of mistake made during the implementation, design, or other phases > of a product lifecycle that, under the right conditions, could contribute > to the introduction of vulnerabilities in a range of products made by > different vendors.* > > *n/a* > > *edited from def on CWE wesbite* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a known > weakness type, usually in cyber-enabled capabilities * > > *n/a* > > *edited from def on CAPEC website* > > > > > > The full spreadsheet of definitions to compare is attached. The plan would > be to unify the definitions according to the above across all our sites. > Would love to hear your thoughts. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > -- Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604 Tortuga Logic <http://www.tortugalogic.com/> | 75 E Santa Clara Street, San Jose, CA 95113 NOTICE TO RECIPIENT | This email and any attachments may contain private, confidential and privileged material for the sole use of the intended recipient. If you are not the intended recipient, please immediately notify the sender of the error by return email and delete this email and any attachments.
