OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Re: [cti-stix] Vulnerability object added

Thank you Jane.
This would, for example, give an idea of the concept/context behind it
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

Best regards


On Thu, Jul 14, 2016 at 10:58 PM, JG on CTI-TC <jg@ctin.us> wrote:
> Jerome:
>
> So this suggestion does not get lost in the shuffle of the final push toward
> MVP I'm forwarding it to the CybOX list as well. There will be an effort to
> reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft
> Specs out for public review. That effort will be aimed at picking up the
> threads for the discussions on the Objects and issues that have been
> temporarily placed on hold in order to meet the July 29th deadline.
>
> That would be a good time to get this suggestion on the agenda.
>
> Jane Ginn
>
> *************************************************
>
>
> Hi,
>
> I suggest reusing standardized definitions for CTI.
> (they could be tweaked a bit for highlighting/explaining the
> relationships between the CTI objects using the CTI objects' names)
>
> For example:
>
> vulnerability
> Weakness in an information system, system security procedures,
> internal controls, or implementation that could be exploited by a
> threat source.
> Source: NIST SP 800-30 Rev 1
> CNSSI 4009 revised April 6, 2015
>
> if considered too generic - another example
> A vulnerability is a software weakness that can be exploited by an
> attacker. Bugs and flaws collectively form the basis of most software
> vulnerabilities.
> https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary
>
> (I hate definitions of "hacker" other than RFC1392)
>
>
> PS: probably "too early" to discuss that, but I will be interested, at
> some point, discussing the relationships with, or mechanisms for
> leveraging, CybOX objects in the description of Vulnerability (with an
> extended/better model than the CVE one), allowing, for example, the
> automation, or semi-automation of the COAs, especially in the context
> of web applications softwares, where, for example, the Vulnerability
> model would have to offer information related to URIs/URLs and
> parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for
> OVALX)) anyone?
>
>
> --
> Jane Ginn, MSIA, MRP
> CTI-TC Co-Secretary
> Cyber Threat Intelligence Network, Inc.
> jg@ctin.us
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]