A short alternative definition for weakness: defect or characteristic that could enable undesirable behaviour
...Joe On Thu, Jul 14, 2022, 11:18 Paul Wooderson <paul.wooder...@horiba-mira.com> wrote: > All, > > > > One issue I see with these definitions of vulnerability and weakness is > that they are circular, i.e. each term uses the other in its definition. So > when each term is replaced with its definition in the other term’s > definition, it is impossible to resolve what is intended. I have tried this > below (including striking the “range of products” as suggested by others) – > the substituted definitions are in red text and the circularities are > highlighted in yellow. > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a **type of flaw or defect inserted during a product lifecycle that, > under the right conditions, could contribute to the introduction of > vulnerabilities in a range of products made by different vendors** that > can be exploited, causing a negative impact to the confidentiality, > integrity, or availability of an impacted component or components (from > CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could contribute to the introduction of flaws in a > software, firmware, hardware, or service component resulting from a > weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components in a range of products made by different vendors* > > > > We have recently addressed the same issue with these same terms in the > recently published automotive cybersecurity standard ISO/SAE 21434. There > we settled on the following definitions: > > > > vulnerability > > weakness that can be exploited as part of an attack path > > weakness > > defect or characteristic that can lead to undesirable behaviour > > > > In this way we can define vulnerabilities as a specific subset of > weaknesses. > > > > Definitions in ISO standards tend to be short and less descriptive than > these from CVE/CWE, so it may not be appropriate to directly suggest them > here. However, if it is preferred to not make further changes to > “vulnerability”, then perhaps “weakness” could be modified as follows in > order to avoid the circularity: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could **lead to undesirable behaviour* > > > > > > Best regards, > > Paul > > > > *Paul Wooderson* > *Chief Engineer – Cybersecurity* > > Email: > > *paul.wooder...@horiba-mira.com <paul.wooder...@horiba-mira.com>* > > Direct: > > +44 24 7635 5244 > > Mobile: > > +44 7731 010066 > > HORIBA MIRA Ltd. > Watling Street, Nuneaton > Warwickshire, CV10 0TU, UK > > *www.horiba-mira.com <https://www.horiba-mira.com/>* > > > > *From:* Alec J Summers <asumm...@mitre.org> > *Sent:* 13 July 2022 18:09 > *To:* CWE Research Discussion <cwe-research-list@mitre.org> > *Subject:* CWE/CAPEC Definitions > > > > Dear CWE Research Community, > > > > I hope this email finds you well. > > > > Over the past few months, the CWE/CAPEC User Experience Working Group has > been working to modernize our programs through a variety of activities. One > such activity is harmonizing the definitions on our sites for some of our > key terminology including weakness, vulnerability, and attack pattern. As > CWE and CAPEC were developed separately and on a different timeline, some > of the terms are not defined similarly, and we want to address that. > > > > We are seeking feedback on our working definitions: > > > > *Vulnerability* > > *A flaw in a software, firmware, hardware, or service component resulting > from a weakness that can be exploited, causing a negative impact to the > confidentiality, integrity, or availability of an impacted component or > components (from CVE®)* > > *Weakness* > > *A type of flaw or defect inserted during a product lifecycle that, under > the right conditions, could contribute to the introduction of > vulnerabilities in a range of products made by different vendors* > > *Attack Pattern* > > *The common approach and attributes related to the exploitation of a > weakness, usually in cyber-enabled capabilities* > > > > *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after > significant community deliberation, and we are not looking to change it at > this time. > > > > We are hoping to publish new, improved definitions on our websites at the > end of the month. Please provide thoughts and comments by Tuesday, July 26. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > > *HORIBA MIRA Ltd* > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England > Registered in England and Wales No. 9626352 > VAT Registration GB 100 1464 84 > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you are not the named addressee you should not disseminate, distribute > or copy this e-mail. Please notify the sender immediately by e-mail if you > have received this e-mail by mistake and delete this e-mail from your > system. If you are not the intended recipient you are notified that > disclosing, copying, distributing or taking any action in reliance on the > contents of this information is strictly prohibited. >