RE: [External] - RE: CWE/CAPEC Definitions

Paul Anderson Thu, 14 Jul 2022 10:06:16 -0700 

I also agree with dropping that part of the definition. The rest is good.

-Paul

---
Paul Anderson, VP of Engineering, GrammaTech, Inc.
531 Esty St., Ithaca, NY 14850
Tel: +1 607 273-7340 x118; 
https://www.grammatech.com<https://www.grammatech.com/>

From: Schweiger, Andreas Dr. <[email protected]>
Sent: Thursday, July 14, 2022 7:58 AM
To: CWE Research Discussion <[email protected]>
Subject: [External] - RE: CWE/CAPEC Definitions

CAUTION: External Email


Dear all,

dropping the mentioned part of the sentence is a very good idea.

Apart from that I am fine with all three definitions.

Best wishes
Andreas

Dr. rer. nat. Andreas Schweiger, Dipl.-Inf. (Univ.)
System Architect
TOR Embedded RTS Development - TEYXI
Airbus Defence and Space

T   +49 8459 81-67087
M  +49 172 7159582
F   +49 8459 81-78112
E   [email protected]<mailto:[email protected]>

Airbus Defence and Space GmbH
Rechliner Straße
85077 Manching
Germany

www.airbusdefenceandspace.com<https://usg02.safelinks.protection.office365.us/?url=http%3A%2F%2Fwww.airbusdefenceandspace.com%2F&data=05%7C01%7C%7Cdaaf2cc7c873487ff2be08da65975f14%7C22cbf1b8306c42309e2a81f94e129fa8%7C1%7C0%7C637933998060165434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VDFKbLeRfw68eWoRZiIw%2Fh0AFPgbbGo4X9X2u6Hys7E%3D&reserved=0>

Airbus Defence and Space GmbH

Chairman of the Supervisory Board: Dominik Asam
Managing Directors: Dr. Michael Schoellhorn (Chairman), Dr. Lars Immisch
Registered Office: Ottobrunn
District Court of Munich HRB 107 648
UST. Ident. Nr./VAT reg. no. DE167015661




THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.

From: James Pangburn [mailto:[email protected]]
Sent: Wednesday, July 13, 2022 10:49 PM
To: Joe Baum 
<[email protected]<mailto:[email protected]>>; Kurt 
Seifried <[email protected]<mailto:[email protected]>>
Cc: SJ Jazz <[email protected]<mailto:[email protected]>>; Alec J Summers 
<[email protected]<mailto:[email protected]>>; CWE Research Discussion 
<[email protected]<mailto:[email protected]>>
Subject: RE: CWE/CAPEC Definitions

I also vote to drop "in a range of ..."

Best regards,
Jim Pangburn
Director, IPG Operations

From: Joe Baum 
<[email protected]<mailto:[email protected]>>
Sent: Wednesday, July 13, 2022 1:21 PM
To: Kurt Seifried <[email protected]<mailto:[email protected]>>
Cc: SJ Jazz <[email protected]<mailto:[email protected]>>; Alec J Summers 
<[email protected]<mailto:[email protected]>>; CWE Research Discussion 
<[email protected]<mailto:[email protected]>>
Subject: Re: CWE/CAPEC Definitions

EXTERNAL MAIL
Or for that matter non-vendors. Software composition, as an example, Open 
Source, etc.



Best Regards,
Joe Baum
Director, Threat Management Group





On Wed, Jul 13, 2022 at 3:18 PM Kurt Seifried 
<[email protected]<mailto:[email protected]>> wrote:
Also, it excludes services. So yeah, I vote drop the " in a range of products 
made by different vendors"

On Wed, Jul 13, 2022 at 2:12 PM SJ Jazz 
<[email protected]<mailto:[email protected]>> wrote:
I still recommend deleting at the end of the definition of weakness "... in a 
range of products made by different vendors.

It adds no value, and actually unintentionally limits applicability by implying 
weaknesses only apply to products made by vendors.

Regards,

Joe

On Wed, Jul 13, 2022, 12:08 Alec J Summers 
<[email protected]<mailto:[email protected]>> wrote:
Dear CWE Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

Vulnerability
A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
Weakness
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE's definition for 'vulnerability' was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.

Cheers,
Alec

--
Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
------------------------------------
MITRE - Solving Problems for a Safer World(tm)




--
Kurt Seifried (He/Him)
[email protected]<mailto:[email protected]>


For more information on how and why we collect your personal information, 
please visit our Privacy 
Policy<https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.motorolasolutions.com%2Fen_us%2Fabout%2Fprivacy-policy.html%3FelqTrackId%3D8980d888905940e39a2613a7a3dcb0a7%26elqaid%3D2786%26elqat%3D2*privacystatement__%3BIw!!EHscmS1ygiU1lA!HoAHMf_wuSq-0SkyyBWnWkRrlC1iilECJYPmmvLny6ZvzB7Ffrj5HuBJ3ORBz0l5JEIPajfx6HC5WZtdO0TO93z2Ww%24&data=05%7C01%7C%7Cdaaf2cc7c873487ff2be08da65975f14%7C22cbf1b8306c42309e2a81f94e129fa8%7C1%7C0%7C637933998060165434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LWfe0C3qbrzG1fwXcmLHAfPVjkuURAJUKMyBJYysRtA%3D&reserved=0>.
The information in this e-mail is confidential. The contents may not be 
disclosed or used by anyone other than the addressee. Access to this e-mail by 
anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and 
delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of 
this e-mail as it has been sent over public networks. If you have any concerns 
over the content of this message or its Accuracy or Integrity, please contact 
Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus 
scanning software but you should take whatever measures you deem to be 
appropriate to ensure that this message and any attachments are virus free.
________________________________
The information contained in this e-mail and any attachments from GrammaTech, 
Inc may contain confidential and/or proprietary information, and is intended 
only for the named recipient to whom it was originally addressed. If you are 
not the intended recipient, any disclosure, distribution, or copying of this 
e-mail or its attachments is strictly prohibited. If you have received this 
e-mail in error, please notify the sender immediately by return e-mail and 
permanently delete the e-mail and any attachments.

Reply via email to

Morty Proxy This is a proxified and sanitized view of the page, visit original site.