Hi, I have a comment about last October's name change for CWE-653 from "Insufficient Compartmentalization" to "Improper Isolation or Compartmentalization". The addition of "Isolation" alters the meaning of the CWE in a way that I'm not sure was intended.
Compartmentalization is strictly about segmenting functionality or resources such that privileges may be scoped to them, as described in the notes section of CWE-653: There is a close association with CWE-250<https://cwe.mitre.org/data/definitions/250.html> (Execution with Unnecessary Privileges). CWE-653<https://cwe.mitre.org/data/definitions/653.html> is about providing separate components for each "privilege"; CWE-250<https://cwe.mitre.org/data/definitions/250.html> is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges. Isolation has a broader meaning than compartmentalization, it is inclusive of the privilege set assigned to the component and centered around particular types of privilege/access. For example, splitting functionality into two processes is compartmentalization. Applying access controls to ensure that only one process has database write access is an example of isolation built on compartmentalization. "Compartmentalization" and "isolation" mean different things. The addition of "Isolation" to the title of CWE-653 conflates the two, making it seem like they are synonyms. The description also is worded as if the two are interchangeable: The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. The title and description should be reverted to remove conflation of the terms. Thank you, Rob Wissmann
