[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Re: [cti-stix] Vulnerability object added
Thank you Jane. This would, for example, give an idea of the concept/context behind it https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Best regards On Thu, Jul 14, 2016 at 10:58 PM, JG on CTI-TC <jg@ctin.us> wrote: > Jerome: > > So this suggestion does not get lost in the shuffle of the final push toward > MVP I'm forwarding it to the CybOX list as well. There will be an effort to > reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft > Specs out for public review. That effort will be aimed at picking up the > threads for the discussions on the Objects and issues that have been > temporarily placed on hold in order to meet the July 29th deadline. > > That would be a good time to get this suggestion on the agenda. > > Jane Ginn > > ************************************************* > > > Hi, > > I suggest reusing standardized definitions for CTI. > (they could be tweaked a bit for highlighting/explaining the > relationships between the CTI objects using the CTI objects' names) > > For example: > > vulnerability > Weakness in an information system, system security procedures, > internal controls, or implementation that could be exploited by a > threat source. > Source: NIST SP 800-30 Rev 1 > CNSSI 4009 revised April 6, 2015 > > if considered too generic - another example > A vulnerability is a software weakness that can be exploited by an > attacker. Bugs and flaws collectively form the basis of most software > vulnerabilities. > https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary > > (I hate definitions of "hacker" other than RFC1392) > > > PS: probably "too early" to discuss that, but I will be interested, at > some point, discussing the relationships with, or mechanisms for > leveraging, CybOX objects in the description of Vulnerability (with an > extended/better model than the CVE one), allowing, for example, the > automation, or semi-automation of the COAs, especially in the context > of web applications softwares, where, for example, the Vulnerability > model would have to offer information related to URIs/URLs and > parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for > OVALX)) anyone? > > > -- > Jane Ginn, MSIA, MRP > CTI-TC Co-Secretary > Cyber Threat Intelligence Network, Inc. > jg@ctin.us >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]