Fwd: vulnerability definitions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: vulnerability definitions

Art Manion
Terminology was mentioned, I just sent this to the CVSS list.

 - Art


MITRE CVE:

A "vulnerability" is a weakness in the computational logic (e.g., code)
found in software and some hardware components (e.g., firmware) that,
when exploited, results in a negative impact to confidentiality,
integrity, OR availability.

https://cve.mitre.org/about/terminology.html


UCF:

https://compliancedictionary.com/term/1613

(collection of other known definitions)


NISTIR 8151:

"...one or more weaknesses that can be accidentally triggered or
intentionally exploited and result in a violation of desired system
properties. A weakness is an undesired characteristic of a system’s
requirements, design or implementation."

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf

(I like this one, but don't think the "accidentally triggered" bit is
necessary.)


ISO 27000:
weakness of an asset or control (2.16) that can be exploited by one or
more threats (2.83)

(Too generic?)


ISO 29147:
weakness of software, hardware, or online service that can be exploited
(published)

functional behaviour of a product or online service that violates an
implicit or explicit security policy (revised)

set of conditions or behavior that violates an implicit or explicit
security policy (my personal version)

"Implicit" policy is equivalent to NIST's "desired system properties,"
e.g., my implicit policy is that arbitrary code shouldn't execute when I
open a PDF file.


 - Art