"process" means executing process, or like a business process, e.g. password reset policy?
On Tue, May 24, 2022 at 2:15 PM Jeremy West <[email protected]> wrote: > Red Hat adopted the following definition of a weakness a year or so ago. "A > weakness is specifically the absence of a safeguard in an asset or process > that provides a higher potential or frequency of a threat occurring, but > does not meet the exploitability criteria for a vulnerability." We've also > defined vulnerability much more broadly to include weaknesses as a subset > "A weakness or absence of a safeguard in an asset that provides a higher > potential or frequency of a threat occurring." We were running into > differing opinions when we looked at each as separate and unique. The > other factor we've called out internally is hardening. The key difference > between a weakness and hardening for us is that a weakness is a direct > factor in the potential and frequency vs hardening which are safeguards > which prevent. > > On Tue, May 24, 2022 at 12:49 PM Alec J Summers <[email protected]> > wrote: > >> Dear CWE/CAPEC Board Members, >> >> >> >> Good afternoon! I hope the week is going well for you all. >> >> >> >> During a recent CWE/CAPEC User Experience Working Group session, the >> topic of definitions came up – more specifically, the difficulty in >> agreeing on good ones and making sure they are understood by downstream >> users. It also reminded me of Pietro’s comment during our February meeting, >> I believe, on the importance of harmonious definitions for similar terms >> across the CVE and CWE/CAPEC sites. To that end, the team went ahead and >> did a quick document authorities search of our key terminology to start >> (i.e., vulnerability, weakness, attack pattern), and suggested the >> following: >> >> >> >> *Term* >> >> *Definition* >> >> *Authority* >> >> *Authorities Doc* >> >> *Vulnerability* >> >> *A flaw in a software, firmware, hardware, or service component resulting >> from a weakness that can be exploited, causing a negative impact to the >> confidentiality, integrity, or availability of an impacted component or >> components. (not changed)* >> >> *CVE* >> >> *website* >> >> *Weakness* >> >> *A type of mistake made during the implementation, design, or other >> phases of a product lifecycle that, under the right conditions, could >> contribute to the introduction of vulnerabilities in a range of products >> made by different vendors.* >> >> *n/a* >> >> *edited from def on CWE wesbite* >> >> *Attack Pattern* >> >> *The common approach and attributes related to the exploitation of a >> known weakness type, usually in cyber-enabled capabilities * >> >> *n/a* >> >> *edited from def on CAPEC website* >> >> >> >> >> >> The full spreadsheet of definitions to compare is attached. The plan >> would be to unify the definitions according to the above across all our >> sites. Would love to hear your thoughts. >> >> >> >> Cheers, >> >> Alec >> >> >> >> -- >> >> *Alec J. Summers* >> >> Center for Securing the Homeland (CSH) >> >> Cyber Security Engineer, Principal >> >> Group Lead, Cybersecurity Operations and Integration >> >> *––––––––––––––––––––––––––––––––––––* >> >> *MITRE - Solving Problems for a Safer World™* >> >> >> >> >> > > > -- > > Jeremy West > > Red Hat Product Security > > Red Hat Massachusetts <https://www.redhat.com> > > 314 Littleton Rd > > [email protected] > M: 9192686967 IM: hobbit > <https://red.ht/sig> > > > > -- Kurt Seifried (He/Him) [email protected]
