Realized that there's a huge gap in knowledge for some taxonomy and terms in #infosec. Here's a š§µ
Let's start with CWE from @CweCapec. Common Weakness Enumeration.
* This is š« a scoring system
* This is identifier for a type of vuln
For example: SQL Injection is CWE 89
It has broad "parent" and more specific "child" categories. But EOD, they are Vulnerability IDs 2/
* This is š« a scoring system
* This is identifier for a type of vuln
For example: SQL Injection is CWE 89
It has broad "parent" and more specific "child" categories. But EOD, they are Vulnerability IDs 2/
@CweCapec Let's look the one its most confused with. CVE (@CVEnew). This is a number that is assigned to a specific vulnerability identified against software/hardware that is publicly available (commerical/OSS). Ex: CVE-2022-0847 is a CVE given to the Linux #DirtyPipe vul. 3/
@CweCapec @CVEnew Its a specific vulnerability dataset, but it can be identified by a generic type of vulnerability i.e. CWE. In this case, the type of vulnerability is probably closer to a Buffer Overflow, i.e. CWE 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) 4/
@CweCapec @CVEnew Then there's the scoring system CVSS (Common Vulnerability Scoring System). It consists of multiple "factors" of scoring a vulnerability based on a Base - think of it as a baseline score for a vulnerability of its nature. 5/
@CweCapec @CVEnew This is defined by params like AuthN, Access Control, C,I,A metrics and so on. Like a baseline. Then it has the "temporal" metrics, like exploitability and remediation. Things that tend to change over the lifetime of the vulnerability. finally, you have the "environmental" 6/
@CweCapec @CVEnew This refers to the specifics of the environment where the target system is deployed, that has an impact on the score of the vulnerability. Things like internal/external, collateral damage potential, etc. 7/
@CweCapec @CVEnew Finally you have CAPEC (Common Attack Pattern Enumeration and Classification). As the name suggests, these are a compendium of typical attack patterns and techniques against specific CWEs. 8/
@CweCapec @CVEnew It has multiple approaches to classification and is very complementary to....you guessed it the @MITREAttack framework. Its a thoroughly awesome and underrated taxonomy and classification set
@CweCapec @CVEnew @MITREattack That's a wrap!
If you enjoyed this thread:
1. Follow me @abhaybhargav for more of these
2. RT the tweet below to share this thread with your audience
If you enjoyed this thread:
1. Follow me @abhaybhargav for more of these
2. RT the tweet below to share this thread with your audience
https://twitter.com/abhaybhargav/status/1503777820241182728
ā¢ ā¢ ā¢
Missing some Tweet in this thread? You can try to
force a refresh
ć
