News & EventsRight-click and copy a URL to share an article. Please contact us with any feedback about this page. Thank You for Responding to the CAPEC Stakeholder Community Survey March 13, 2023 | Share this article Thank you to everyone who responded to our CAPEC Stakeholder Survey. We really appreciate it. The survey is now closed. Please contact the CAPEC Team at capec@mitre.org with any comments or concerns. Immediate Feedback Requested from CAPEC Stakeholder Community – Brief Survey February 23, 2023 | Share this article The CAPEC program is seeking immediate feedback from its stakeholder community with this brief survey. Feel free to contact the CAPEC Team at capec@mitre.org with any additional comments or concerns. CAPEC List Version 3.9 Now Available January 24, 2023 | Share this article CAPEC Version 3.9 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.8 and Version 3.9. Version 3.9 includes:
* This attack pattern was submitted by a member of the CAPEC Community.
See an example below: We plan to continue updating the visible fields in collaboration with the CWE/CAPEC User Experience Working Group (UEWG). Join today to provide your feedback, or contact us at capec@mitre.org. There were no schema updates. Summary There are now 559 total attack patterns listed. Changes for the new version release include the following:
See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.8_v3.9.html. Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. CAPEC List Version 3.8 Now Available September 29, 2022 | Share this article CAPEC Version 3.8 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.7 and Version 3.8. Version 3.8 includes:
There were no schema updates. Summary There are now 555 total attack patterns listed. Changes for the new version release include the following:
See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.7_v3.8.html. Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. New CWE/CAPEC Board Member from University of Nebraska Omaha September 9, 2022 | Share this article Robin Gandhi of University of Nebraska Omaha has joined the CWE/CAPEC Board. Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner. CWE/CAPEC Podcast: “Using CWE/CAPEC in Education” July 11, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our latest episode, “Using CWE/CAPEC in Education,” we chat with Pietro Braione of Università degli Studi di Milano - Bicocca about how he uses CWE and CAPEC to help in college-level classes to teach cybersecurity. How the taxonomy can help teach the breath of issues for software development is also discussed. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you! Strobes Security Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC June 21, 2022 | Share this article The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available). One new organization added: Strobes Security – Strobes VI Advanced Vulnerability Intelligence correlates with CAPEC and other taxonomies to continuously maintain and upgrade its threat data.
To view the complete listing, visit the CAPEC Organization Usage page. We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you! CAPEC/CWE Blog: “How to Effectively Utilize Hardware CWEs Across your Organization” Contributed by Jason Oberg of Tortuga Logic May 15, 2022 | Share this article The CAPEC/CWE Program is pleased to welcome the contribution of this CAPEC/CWE Blog article by Tortuga Logic, one of our key partners. The article, “How to Effectively Utilize Hardware CWEs Across your Organization,” which discusses two ways that hardware CWE can be applied to enable higher levels of security assurance throughout semiconductor organizations, was written by Jason Oberg of Tortuga Logic, co-founder of Tortuga Logic. It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CAPEC/CWE Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CAPEC/CWE Program of the product, process, or service, or its producer or provider. Read the complete article on the CAPEC/CWE Blog on Medium. CAPEC/CWE Blog: “The Missing Piece in Vulnerability Management” Contributed by Fil Filiposki of AttackForge May 5, 2022 | Share this article The CAPEC/CWE Program is pleased to welcome the contribution of this CAPEC/CWE Blog article by AttackForge, one of our key partners. The article, “The Missing Piece in Vulnerability Management,” which discusses the need for normalizing pen testing results so they can be merged with vulnerability management systems — and how CAPEC is part of the solution, was written by Fil Filiposki, co-founder of AttackForge, and is our first-ever blog contributed by a CWE/CAPEC Program partner. It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CWE/CAPEC Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CWE/CAPEC Program of the product, process, or service, or its producer or provider. Read the complete article on the CAPEC/CWE Blog on Medium. New CWE/CAPEC Board Member from Red Hat May 5, 2022 | Share this article Jeremy West of Red Hat, Inc. has joined the CWE/CAPEC Board. Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner. Six Transcripts from “CAPEC Program User Summit” Now Available May 5, 2022 (Updated June 2, 2022) | Share this article The transcripts below are now available from the first-ever “CAPEC Program User Summit.” Additional transcripts will be added as they become available.
Talking Exploits, Session 1 - Pen Testing and Execution Flows - Navaneeth Krishnan Subramanian, CAPEC/CWE Program New
Thank you again to our presenters and everyone who attended this community event. CAPEC/CWE Blog: “Celebrating the 15th Anniversary of CAPEC” March 23, 2022 | Share this article The CAPEC/CWE Team’s “Celebrating the 15th Anniversary of CAPEC” blog article reflects on the development of the project and the plans for the future, with collaboration of the CAPEC community. CWE is also discussed. Read the complete article on the CAPEC/CWE Blog on Medium. Videos from “CAPEC Program User Summit” Now Available March 23, 2022 | Share this article The videos below are now available on the CAPEC/CWE YouTube channel from the first-ever “CAPEC Program User Summit.”
Session 1 - Pen Testing and Execution Flows Thank you again to our presenters and everyone who attended on February 23. Join the CWE/CAPEC Rest API Working Group! March 23, 2022 | Share this article The objective of the “CWE/CAPEC Rest API Working Group” is to ease the interface between security software and hardware architects, EDA tool developers, verification engineers concerned about mitigating security risks in their products; and the databases themselves. A new RESTful API will be designed. View the invitation to join the working group from Adam Cron of Synopsys, Chair of the CWE/CAPEC Rest API Working Group. CAPEC/CWE Podcast: “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities” March 23, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our seventh episode, “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities,” we talk with Cisco’s Tim Wadhwa-Brown, Security Research and Offensive Security for Professional Services in Europe and Jared Pendleton, Advanced Security Initiatives Group about Cisco using CWE for finding and fixing vulnerabilities. They find it useful to help categorize the types of vulnerabilities to help determine the root cause of possible future vulnerabilities. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you! Thank You “CAPEC Program User Summit” Attendees and Presenters March 2, 2022 | Share this article Thank you to everyone who attended last week’s first-ever “CAPEC Program User Summit,” and a very special thank you to our presenters:
Akond Rahman, Tennessee Tech University And to our CAPEC Team members from MITRE: We’ll be posting videos of the summit sessions soon on our CAPEC/CWE YouTube channel, so keep an eye out! CAPEC List Version 3.7 Now Available February 25, 2022 | Share this article CAPEC Version 3.7 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.6 and Version 3.7. Version 3.7 includes:
There were no schema updates. Summary There are now 546 total attack patterns listed. Changes for the new version release include the following:
See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.6_v3.7.html. Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Final Agenda for the “CAPEC Program User Summit” Now Available February 22, 2022 | Share this article The final agenda for the first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022, from 11:00 a.m. to 4:00 p.m. EST is below. View a text version of the agenda here. Last Chance to Join Us for the “CAPEC Program User Summit” on February 23 February 22, 2022 | Share this article Last chance to join the CAPEC community for the first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022 from 11:00 am to 4:00 pm EST. Program improvements, education and awareness, and modernization will be the focus areas for this event. Register Register for the event here. Agenda Attendees will have the opportunity to participate in subsequent discussions around the topics below.
CAPEC/CWE Podcast: “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar” February 22, 2022 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our sixth episode, “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar,” Larry Cashdollar of Akamai talks about the types of weaknesses in the many CVEs he has found as a CVE Numbering Authority and how the frequency of these weaknesses have changed. CAPEC is also mentioned. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you! CAPEC/CWE Blog: “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” February 1, 2022 | Share this article The CAPEC/CWE Team’s “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” blog article discusses how if your project uses or implements regular expressions, you need to check them for a weakness that might allow an attacker to stop your program from working. CAPEC is also discussed. Read the complete article on the CAPEC/CWE Blog on Medium. Don't Miss out! Join Us for the “CAPEC Program User Summit” on February 23! January 13, 2022 (Updated February 3, 2022) | Share this article Please join the CAPEC team for our first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022 from 10:30 am to 4:30 pm EST. Program improvements, education and awareness, and modernization will be the focus areas for this event. Attendees will have the opportunity to participate in subsequent discussions around the following topics and more:
A complete agenda and additional details will be available soon. Register for the event here. CAPEC/CWE Blog: “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” January 13, 2022 | Share this article The CAPEC/CWE Team’s “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” blog article provides a primer on the often conflated HTTP (response/request) (splitting/smuggling) attack techniques as well as information about which CAPEC entries may help further distinguish between the two. Read the complete article on the CAPEC/CWE Blog on Medium. CWE/CAPEC Board Approves Version 1.0 of Board Charter January 10, 2022 | Share this article The CWE/CAPEC Board approved version 1.0 of the “CWE/CAPEC Board Charter” on January 7, 2022. The charter includes two main sections, “Board Overview and Member Responsibilities” and “Board Membership and Operations,” as well as a “Board Charter Review” section that describes the process for updating the charter. Along with version 1.0 of the charter document, the Board also approved the “CWE/CAPEC Program Professional Code of Conduct.” CAPEC/CWE Communications Survey January 6, 2022 | Share this article The CAPEC/CWE Program requests your feedback on our communications efforts. We would like to learn what you think about the topics being covered on our CAPEC/CWE Blog and Out-of-Bounds Read podcast, as well as anything else that you want to see or learn more about? Please respond to our “CAPEC/CWE Communications Survey” and share your thoughts today! More information is available — Please select a different filter. |