News & Events2013 ArchiveDecember 18, 2013
CAPEC List Version 2.2 Now Available CAPEC Version 2.2 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.1 and Version 2.2. Changes for the new minor version release include: adding 3 new entries, CAPEC-216: Abuse of Communication Channels, CAPEC-278: Web Services Protocol Manipulation, and CAPEC-484: XML Client-Side Attack; and adding 25 new mappings for 8 entries, CAPEC-217: Exploiting Incorrectly Configured SSL Security Levels, CAPEC-230: Recursive Payloads Sent to XML Parsers, CAPEC-231: Oversized Payloads Sent to XML Parsers, CAPEC-236: Catching exception Throw/Signal from Privileged Block, CAPEC-250: XML Injection, CAPEC-264: Environment Variable Manipulation, CAPEC-265: Global Variable Manipulation, and CAPEC-484: XML Client-Side Attack. There were no changes to the CAPEC Schema, which remains at Version 2.6. Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list. MITRE Hosts DHS/DoD Software and Supply Chain Assurance Working Group Meeting MITRE hosted the DHS/DoD Software and Supply Chain Assurance Working Group Meeting on December 17-19, 2013 at MITRE Corporation in McLean, Virginia, USA. Discussion topics included the Software and Supply Chain Assurance (SSCA) Way Ahead, Cyber Executive Order and Framework/Emerging Industry Standards and Best Practices, Tools and Technology State-of-the-Art Report (SOAR), Supply Chain Risk Management (SCRM) Taxonomies for Information Sharing, Education and Training, SSCA Mobile, DHS Research and Development Software Assurance Marketplace (SWAMP), and a SCRM Working Group Workshop. Visit the CAPEC Calendar for information on this and other events. CAPEC/CWE Briefing and Software Assurance Panel at AppSec USA 2013 CAPEC/CWE Program Manager Robert A. Martin and CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) entitled "Tagging Your Code with a Useful Assurance Label," and Barnum also participated on a panel discussion about software assurance entitled "Aim-Ready-Fire," at AppSec USA 2013 in New York City, New York, USA on November 20, 2013. Visit the CAPEC Calendar for information on this and other events. October 23, 2013
"Use & Citations of CAPEC" Page Added to Community Section A "Use & Citations of CAPEC" page has been added to the Community section of the CAPEC Web site update. The new page lists the numerous documents and resources that use or cite CAPEC in the areas of Academia, Government, Industry, Policy, Reference, and Standards. September 5, 2013
CAPEC Project Actively Seeking Community Input The CAPEC effort is actively seeking new content submissions of "attack pattern data," as well as edits to existing entries on the CAPEC List, from developers, testers, educators, vendors, etc. Read the initial announcement and/or visit the Submit Content page for additional information. August 8, 2013
MITRE Hosts CAPEC Booth at Black Hat Briefings 2013 MITRE hosted a “Strengthening Cyber Defense” booth that included CAPEC at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Visit the CAPEC Calendar for information on this and other events. July 25, 2013
"Submit Content" Page Added to CAPEC List Section for Community Contributions A Submit Content page is now available on the CAPEC Web site so that developers, testers, educators, and other members of the information security community can submit new attack patterns or edits to existing attack pattern data to the CAPEC Content Team so they can be reviewed, assigned a CAPEC-ID if applicable, and published on the CAPEC List for use by the community. The page also includes instructions for filling out and returning a "CAPEC Attack Pattern Data Content Submission Questionnaire Form." Comments and questions about submitting content to the CAPEC effort are welcome at capec@mitre.org. "CAPEC Schema Description Version 2.6" Document Updated The updated CAPEC Schema Description Version 2.6 document has been posted in the Schema Documentation section of the CAPEC Documents page. July 19, 2013
MITRE to Host CAPEC Booth at Black Hat Briefings 2013 on July 27 – August 1 MITRE will host a "Strengthening Cyber Defense" booth that includes CAPEC at Black Hat Briefings 2013 at Caesar's Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CAPEC Team will be in attendance. Please stop by Booth 242 and say hello! Visit the CAPEC Calendar for information on this and other events. CAPEC/CWE Briefings at DHS/DoD SSCA Working Group Meeting Session – Summer 2013 CAPEC/CWE Program Manager Robert A. Martin engaged the working group participants in discussions about applying Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE) to the software and supply chain assurance problems of software, hardware, and services at the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Meeting Session - Summer 2013 on June 25-27, 2013 at MITRE Corporation in McLean, Virginia, USA. Visit the CAPEC Calendar for information on this and other events. June 21, 2013
CAPEC List Version 2.1 Now Available CAPEC Version 2.1 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.0 and Version 2.1. Changes for the new minor version release include adding 1 new "Deprecated Entries" View (CAPEC-483); deprecating 15 Web Application Security Consortium (WASC) entries; adding various missing summaries and enhancing some entries; fixing some minor typos; recasting code into code-formatting blocks; and updating the References/Citations. The CAPEC Schema was updated to Version 2.6 to remove the capec:Reference_Description field, and to make all of the enumerated values whitespace-flexible. In addition, some max/minOccurs were changed/added to support content maintenance. The Schema Documentation was also updated to Version 2.6. Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list. CAPEC/CWE Briefing at CISQ Seminar at OMG Technical Meeting, Berlin, Germany CAPEC/CWE Program Manager Robert A. Martin presented a briefing about Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE) entitled "Measuring and Managing Software Security" at Consortium for IT Software Quality (CISQ) Seminar at OMG Technical Meeting on June 19, 2013 in Berlin, Germany. Visit the CAPEC Calendar for information on this and other events. June 6, 2013
CAPEC/CWE Briefings at DHS/DoD SSCA Working Group Meeting Session – Summer 2013, June 25-27 CAPEC/CWE Program Manager Robert A. Martin will be engaging the working group participants in discussions about applying Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE) to the software and supply chain assurance problems of software, hardware, and services at the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Meeting Session – Summer 2013 on June 25-27, 2013 at MITRE Corporation in McLean, Virginia, USA. Co-sponsored by organizations in the U.S. Department of Homeland Security (DHS), U.S. Department of Defense (DoD), and U.S. National Institute of Standards and Technology (NIST), the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Sessions provide venues for public-private interaction and collaboration on enhancing software security and focus on "software security-related advances in practices, products, and standards for software development, acquisition, supply chain management, education and training, tools, and measurement in order to reduce risk." Visit the CAPEC Calendar for information on this and other events. May 10, 2013
CAPEC Mentioned in Article about Classifying Network Security Attacks on Certshelp.com CAPEC and MAEC are mentioned in a February 13, 2013 article entitled "How to Classify Network Security Attacks" on Certshelp.com. The main focus of the article is the importance of classifying threats and using the perspective of the attacker to categorize those threats. The author states: "The patterns which attacks follow are a powerful source for helping to communicate and capture attacker’s perspectives. In order to exploit vulnerabilities, the patterns are the methods and their general descriptions. These patterns are driven from the design pattern concepts which are applied in destructive context rather than constructive context and these pattern concepts are based on in depth analysis and examples of specific real world exploits." CAPEC and MAEC are mentioned at the beginning of the article as follows: "For improving security a number of publicly available databases are available for classifications which provide attack pattern catalog and taxonomies for classifications. These help in identification, sharing, and refining the patterns of attacks. The following list shows the most famous databases … [Common Attack Pattern Enumeration and Classification (CAPEC™); Open Web Application Security Project’s (OWASP) Application Security Verification Standard (ASVS); Web Application Security Consortium’s (WASC) Threat Classification (WASC TC); and Malware Attribute Enumeration and Characterization (MAEC™)]." MITRE Hosts CAPEC Booth at InfoSec World 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CAPEC at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Visit the CAPEC Calendar for information on this and other events. April 8, 2013
CAPEC List Version 2.0 Now Available CAPEC Version 2.0 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 1.7.1 and Version 2.0. Changes for the new major version release include updating the CAPEC XML Document content to conform to the new namespace capabilities in Version 2.5 of the CAPEC Schema. No changes were made to CAPEC content. The CAPEC Schema, which was updated to Version 2.5, was updated to include the following: modifying the schema to support namespaces in support of Structured Threat Information eXpression (STIX™) and other external schema using CAPEC's schema, and moving from Cyber Observable eXpression (CybOX™) Version 1.0 to Version 2.0 for CAPEC Observables. Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list. Photos from CAPEC Booth at RSA 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CAPEC at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Strengthening Cyber Defense booth photos: ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Visit the CAPEC Calendar for information on this and other events. March 8, 2013
MITRE to Host CAPEC Booth at InfoSec World 2013, April 15-17 MITRE will host a "Strengthening Cyber Defense" booth that includes CAPEC at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CAPEC Team will be in attendance. Please stop by Booth 313 and say hello! Visit the CAPEC Calendar for information on this and other events. MITRE Hosts CAPEC Booth at RSA 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CAPEC at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Visit the CAPEC Calendar for information on this and other events. CAPEC/CWE/CWSS/CWRAF Briefing at DHS Software Assurance Summit 2013 CWE/CAPEC Program Manager Robert A. Martin presented a briefing entitled "Measurable Software Assurance Against Expected Threats" at DHS Software Assurance Summit 2013 on February 20-21, 2013 in Gaithersburg, Maryland, USA. The briefing included discussion of Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF), and detail how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime." Visit the CAPEC Calendar for information on this and other events. February 12, 2013
Security-Database Makes Two Declarations of CAPEC Compatibility Security-Database declared that its database naming scheme that provides a structured enumeration of specific detailed description for a security alert or product, Security-Database vDNA API, and its security advisories and archives web services, Security-Database Website, are CAPEC-Compatible. For additional information, visit the CAPEC Compatibility Program section. CAPEC/CWE/CWSS/CWRAF Briefing at DHS Software Assurance Summit 2013 on February 20-21 CWE/CAPEC Program Manager Robert A. Martin will present a briefing entitled "Measurable Software Assurance Against Expected Threats" at DHS Software Assurance Summit 2013 on February 20-21, 2013 in Gaithersburg, Maryland, USA. The briefing will include discussion of Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF), and detail how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime." Visit the CAPEC Calendar for information on this and other events. MITRE to Host CAPEC Booth at RSA 2013, February 25 – March 1 MITRE will host a "Strengthening Cyber Defense" booth that includes CAPEC at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CAPEC Team will be in attendance. Please stop by Booth 2617 and say hello! Visit the CAPEC Calendar for information on this and other events. Updated CAPEC Introductory Flyer Now Available The updated CAPEC Introductory Flyer, which is a brief two-page introduction to the CAPEC effort, is now available on the Documents page. January 11, 2013
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2013 MITRE has announced its initial Making Security Measurable calendar of events for 2013. Details regarding MITRE’s scheduled participation at these events are noted on the CAPEC Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CAPEC Calendar for information or contact capec@mitre.org to have MITRE present a briefing or participate in a panel discussion about CAPEC™, CWE™, CWSS™, CVE®, OVAL®, CCE™, CPE™, CEE™, MAEC™, CybOX™, STIX™, TAXII™, and/or Making Security Measurable at your event. Visit the CAPEC Calendar for information on this and other events. More information is available — Please select a different filter. |