Should we also acknowledge regulated industries/law, e.g. causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components, and/or violating a given security policy/law/regulation that applies to the affected entity.
On Mon, Sep 12, 2022 at 1:55 PM Alec J Summers <asumm...@mitre.org> wrote: > Dear CWE/CAPEC Community, > > > > Earlier this summer I emailed you regarding the CWE/CAPEC User Experience > Working Group’s efforts to harmonize the definitions of some key > terminology across our sites. As CWE and CAPEC were developed separately > and on a different timeline, some of the terms are not similarly defined, > and we want to address that. > > > > Thank you for your thoughtful and considered feedback to my first request > for comment on this topic. We received the most feedback on the definition > of “weakness”. The UEWG and the CWE/CAPEC team has used that in our > development of a new definition: > > > > *Weakness*: *A condition in a software, firmware, hardware, or service > component that, under the right circumstances, could contribute to the > introduction of vulnerabilities* > > > > If adopted, this would be accompanied by the following two definitions for > ‘attack pattern’ and ‘vulnerability’, respectively. > > > > *Attack Pattern: **The common approach and attributes related to the > exploitation of a weakness, usually in cyber-enabled capabilities* > > > > *Vulnerability*: *A flaw in a software, firmware, hardware, or service > component resulting from a weakness that can be exploited, causing a > negative impact to the confidentiality, integrity, or availability of an > impacted component or components. *(from CVE® and not in consideration > for modification) > > > > We are eager to hear your thoughts, and we look forward to formalizing > this change on our sites soon. > > > > Cheers, > > Alec > > > > -- > > *Alec J. Summers* > > Center for Securing the Homeland (CSH) > > Cyber Security Engineer, Principal > > Group Lead, Cybersecurity Operations and Integration > > *––––––––––––––––––––––––––––––––––––* > > *MITRE - Solving Problems for a Safer World™* > > > > > -- Kurt Seifried (He/Him) k...@seifried.org