[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: Re: [cti-stix] Vulnerability object added
Jerome:So this suggestion does not get lost in the shuffle of the final push toward MVP I'm forwarding it to the CybOX list as well. There will be an effort to reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft Specs out for public review. That effort will be aimed at picking up the threads for the discussions on the Objects and issues that have been temporarily placed on hold in order to meet the July 29th deadline.
That would be a good time to get this suggestion on the agenda. Jane Ginn ************************************************* Hi, I suggest reusing standardized definitions for CTI. (they could be tweaked a bit for highlighting/explaining the relationships between the CTI objects using the CTI objects' names) For example: vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1 CNSSI 4009 revised April 6, 2015 if considered too generic - another example A vulnerability is a software weakness that can be exploited by an attacker. Bugs and flaws collectively form the basis of most software vulnerabilities. https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary (I hate definitions of "hacker" other than RFC1392) PS: probably "too early" to discuss that, but I will be interested, at some point, discussing the relationships with, or mechanisms for leveraging, CybOX objects in the description of Vulnerability (with an extended/better model than the CVE one), allowing, for example, the automation, or semi-automation of the COAs, especially in the context of web applications softwares, where, for example, the Vulnerability model would have to offer information related to URIs/URLs and parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for OVALX)) anyone? -- Jane Ginn, MSIA, MRP CTI-TC Co-Secretary Cyber Threat Intelligence Network, Inc. jg@ctin.us
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]