News & Events2014 ArchiveJuly 23, 2014
CAPEC List Version 2.6 Now Available CAPEC Version 2.6 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.5 and Version 2.6. There are now 463 total attack patterns listed. Changes for the new version release include the following:
Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list. MITRE Hosts Software and Supply Chain Assurance Working Group Meeting MITRE hosted the Software and Supply Chain Assurance (SSCA) Working Group Meeting June 9, 10, 11, 17, 2014 at MITRE Corporation in McLean, Virginia, USA. The event focused on mitigating hardware and software risks in the supply chain. Visit the CAPEC Calendar for information on this and other events. June 3, 2014
MITRE to Host Software and Supply Chain Assurance Working Group Meeting, June 9, 10, 11, 17 MITRE will host the Software and Supply Chain Assurance (SSCA) Working Group Meeting June 9, 10, 11, 17, 2014 at MITRE Corporation in McLean, Virginia, USA. The event focuses on mitigating hardware and software risks in the supply chain. See the event agenda for additional information. Visit the CAPEC Calendar for information on this and other events. May 15, 2014
CAPEC, CWE, and CVE and are the main topics of an article "Security Standards Help Stop Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's Cybersecurity blog on May 7, 2014. "Heartbleed," or CVE-2014-0160, is a serious vulnerability in "certain versions of OpenSSL where it enables remote attackers to obtain sensitive information, such as passwords and encryption keys. Many popular websites have been affected or are at risk, which in turn, puts countless users and consumers at risk." The article defines the Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Common Attack Pattern Enumeration and Classification (CAPEC™) efforts and explains the problem each solves. In sections entitled "CVE and Heartbleed," "CWE and Heartbleed,"and "CAPEC and Heartbleed," the article describes how CVE helped when the issue became public by assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how CWE and CAPEC can help prevent future Heartbleeds. The author then concludes the article as follows: "Security automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed." Read the complete article at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-standards-help-stop-heartbleed. May 7, 2014
CAPEC List Version 2.5 Now Available CAPEC Version 2.5 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.4 and Version 2.5. There are now 453 total attack patterns listed. Changes for the new version release include the following:
Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list. CAPEC List Main Landing Page Enhanced to Improve Ease-of-Use The CAPEC List page on the CAPEC Web site has been enhanced with new information and new functionality to better serve our users. The page has been totally reorganized for ease-of-use so you can quickly Search, Review, and/or Download CAPEC. New functionally includes the "Search CAPEC" feature at the top of the page that allows you to easily find a specific attack pattern by performing a search of the CAPEC List by keywords(s) or by CAPEC-ID number. New information in the "Review CAPEC" section includes more detailed descriptions of the three categories of content views created to help you navigate the list: By Hierarchical Representation, By Relationships to External Factors, and By Relationships to Specific Attributes. Each of these three methods provides access to unique views into CAPEC to help you find a specific attack pattern or to show the relationships amongst different patterns. In addition, the Release Notes, Schema Documentation, and Release Downloads have all been consolidated from standalone pages and are now sections of the CAPEC List main landing page so that all information about the list is accessible from a single location. Comments or concerns about the revised page are welcome at capec@mitre.org. CAPEC is mentioned in the preface to the March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components." The preface was written by Roberta Stempfley, Acting Assistant Secretary at the U.S. Department of Homeland Security's Office of Cybersecurity and Communications, and CVE is mentioned as follows: “How can we collaboratively orchestrate industry and government response to these attacks [on information and communications technology (ICT) assets]? One way is through the Common Vulnerabilities and Exposures (CVE) List, which is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed. Sponsored by the Department of Homeland Security (DHS), the ubiquitous adoption of CVE has enabled the public and private sectors to communicate domestically and internationally in a consistent manner the vulnerabilities in commercial and open source software. CVE has enabled our operations groups to prioritize, patch, and remediate nearly 60,000 openly reported vulnerabilities. Unfortunately, vulnerabilities are proliferating rapidly thus stretching our capabilities and resources. As we seek to discover and mitigate the root causes of these vulnerabilities, sharing the knowledge we have of them helps to mitigate their impact. In order to keep pace with the threat, we must facilitate the automated exchange of information. To achieve that, DHS sponsors "free for use" standards, such as: Common Weakness Enumeration (CWE), which provides for the discussion and mitigation of architectural, design, and coding flaws introduced during development and prior to use; Common Attack Pattern Enumeration and Classification (CAPEC), which enables developers and defenders to discern the attacks and build software resistant to them; Malware Attribute Enumeration and Characterization (MAEC), which encodes and communicates high-fidelity information about malware based upon behaviors, artifacts, and attack patterns; Structured Threat Information eXpression (STIX), which conveys the full range of potential cyber threat information using the Trusted Automated eXchange of Indicator Information." The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/. Software Assurance Roadmap Briefing at IEEE Chapter Meeting CAPEC/CWE Program Manager Robert A. Martin presented a briefing that discussed Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) entitled "Building a Software Assurance Road-map and Using It Effectively," at the IEEE Computer Society Northern VA Computer Chapter & ASQ 509 Software SIG Meeting in McLean, Virginia, USA on April 22, 2014. Visit the CAPEC Calendar for information on this and other events. April 10, 2014
CAPEC List Version 2.4 Now Available CAPEC Version 2.4 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.3 and Version 2.4. There are now 534 total attack patterns listed. Changes for the new version release include the following:
Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list. Software Assurance Roadmap Briefing at IEEE Chapter Meeting on April 22 CAPEC/CWE Program Manager Robert A. Martin will present a briefing that discusses Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™) entitled "Building a Software Assurance Road-map and Using It Effectively," at the IEEE Computer Society Northern VA Computer Chapter & ASQ 509 Software SIG Meeting in McLean, Virginia, USA on April 22, 2014. Visit the CAPEC Calendar for information on this and other events. CAPEC/CWE Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Adminstration Office of Mission Assurance Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, co-presented a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014. The briefing, which included discussion of Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™), described the "national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security." The slides from this briefing are available at http://it-cisq.org/wp-content/uploads/2014/04/CISQ-Seminar-2014_03_26-Advances-in-Information-Assurance-Standards.pdf. Visit the CAPEC Calendar for information on this and other events. MITRE Hosts Software and Supply Chain Assurance Spring Forum 2014 MITRE hosted the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event was "mitigating hardware and software risks in the supply chain." Visit the CAPEC Calendar for information on this and other events. March 7, 2014
MITRE to Host Software and Supply Chain Assurance Spring Forum 2014, March 18-20 MITRE will host the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event is "mitigating hardware and software risks in the supply chain." See the event agenda, and/or event registration page, for additional information. Visit the CAPEC Calendar for information on this and other events. CAPEC/CWE Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, will co-present a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014. The briefing, which will include discussion of Common Attack Pattern Enumeration and Classification (CAPEC™) and Common Weakness Enumeration (CWE™), will describe the "national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security." Visit the CAPEC Calendar for information on this and other events. Security Assurance Discussion Panel at RSA 2014 CAPEC/CWE Program Manager Robert A. Martin participated on a discussion panel entitled "Measurement as a Key to Confidence: Providing Assurance" on February 27, 2014 at RSA Conference 2014 in San Francisco, California, USA. The discussion topic summary for this panel was as follows: "Providing security assurance relies on programs, schemes and assessors specifying and performing appropriate measurements. These may include sampling strategies, specification of appropriate boundaries and the rigor of assessment. Confidence in the security assurance claims depends on the conformity of assessments and appropriate measurement of the specification of the assurance requirements." Visit the CAPEC Calendar for information on this and other events. February 6, 2014
CAPEC List Version 2.3 Now Available CAPEC Version 2.3 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.2 and Version 2.3. Changes for the new version release include 20 new attack patterns, CAPEC-473: Signature Spoofing, CAPEC-474: Signature Spoofing by Key Theft, CAPEC-475: Signature Spoofing by Improper Validation, CAPEC-476: Signature Spoofing by Misrepresentation, CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content, CAPEC-482: TCP Flood, CAPEC-485: Signature Spoofing by Key Recreation, CAPEC-486: UDP Flood, CAPEC-487: ICMP Flood, CAPEC-488: HTTP Flood, CAPEC-489: SSL Flood, CAPEC-490: Amplification/Reflection Flood, CAPEC-498: Probing Application Screenshots, CAPEC-499: Intent Intercept, CAPEC-500: WebView Injection, CAPEC-501: Activity Hijack, CAPEC-502: Intent Spoof, CAPEC-503: WebView Exposure, CAPEC-504: Task Impersonation, and CAPEC-505: Scheme Squatting; and the addition of 12 new mappings for 5 entries. The observables namespace in the CAPEC Schema, which is now at Version 2.7, was updated to reflect Cyber Observable eXpression (CybOX™) Version 2.1. Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list. More information is available — Please select a different filter. |