OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fwd: Re: [cti-stix] Vulnerability object added

Jerome:
So this suggestion does not get lost in the shuffle of the final push toward MVP I'm forwarding it to the CybOX list as well. There will be an effort to reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft Specs out for public review. That effort will be aimed at picking up the threads for the discussions on the Objects and issues that have been temporarily placed on hold in order to meet the July 29th deadline. 

That would be a good time to get this suggestion on the agenda.

Jane Ginn

*************************************************

Hi,

I suggest reusing standardized definitions for CTI.
(they could be tweaked a bit for highlighting/explaining the
relationships between the CTI objects using the CTI objects' names)

For example:

vulnerability
Weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited by a
threat source.
Source: NIST SP 800-30 Rev 1
CNSSI 4009 revised April 6, 2015

if considered too generic - another example
A vulnerability is a software weakness that can be exploited by an
attacker. Bugs and flaws collectively form the basis of most software
vulnerabilities.
https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary

(I hate definitions of "hacker" other than RFC1392)


PS: probably "too early" to discuss that, but I will be interested, at
some point, discussing the relationships with, or mechanisms for
leveraging, CybOX objects in the description of Vulnerability (with an
extended/better model than the CVE one), allowing, for example, the
automation, or semi-automation of the COAs, especially in the context
of web applications softwares, where, for example, the Vulnerability
model would have to offer information related to URIs/URLs and
parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for
OVALX)) anyone?


--
Jane Ginn, MSIA, MRP
CTI-TC Co-Secretary
Cyber Threat Intelligence Network, Inc.
jg@ctin.us

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]