New to CAPEC? Start Here
Home > News  

News & Events

Right-click and copy a URL to share an article. Please contact us with any feedback about this page.

Thank You for Responding to the CAPEC Stakeholder Community Survey

March 13, 2023 | Share this article

Thank you to everyone who responded to our CAPEC Stakeholder Survey. We really appreciate it. The survey is now closed.

Please contact the CAPEC Team at capec@mitre.org with any comments or concerns.

Immediate Feedback Requested from CAPEC Stakeholder Community – Brief Survey

February 23, 2023 | Share this article

The CAPEC program is seeking immediate feedback from its stakeholder community with this brief survey.

Feel free to contact the CAPEC Team at capec@mitre.org with any additional comments or concerns.

CAPEC List Version 3.9 Now Available

January 24, 2023 | Share this article

CAPEC Version 3.9 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.8 and Version 3.9.

Version 3.9 includes:

* This attack pattern was submitted by a member of the CAPEC Community.

  • Significant updates to one attack pattern:
  • Mapping updates:
    • Updated CAPEC to ATT&CK mappings based upon ATT&CK 12.0
    • Reviewed CAPECs not yet mapped to CWEs
      • Added 58 new CAPEC-to-CWE mappings
      • Added text explaining why there is no CWE mapping to remaining unmapped CAPECs
        (e.g., “Social Engineering: CWE does not currently cover Social Engineering in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.”)
    • New Presentation Filters (ported from the CWE website):
      • Conceptual: For users who are interested in more notional aspects of an attack pattern. Example: educators, technical writers, and project/program managers.
      • Operational: For users who are concerned with the practical application and details about the nature of an attack pattern and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts.
      • Mapping Friendly: For users who are mapping an issue to CAPEC/CWE IDs, i.e., finding the most appropriate CAPEC for a specific issue (e.g., a CVE record). Example: tool developers, security researchers.
      • Complete (Default): For users who wish to see all available information for the CAPEC/CWE entry.

    See an example below:

    Visual of the new presentation filter options

    We plan to continue updating the visible fields in collaboration with the CWE/CAPEC User Experience Working Group (UEWG). Join today to provide your feedback, or contact us at capec@mitre.org.

    • Many other minor improvements

There were no schema updates.

Summary

There are now 559 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
4
  • Existing Attack Patterns Updated:
56
  • Attack Patterns Deprecated:
0
  • New Categories Added:
0
  • Existing Categories Updated:
5
  • Existing Categories Deprecated:
0
  • New Views Added:
1
  • Existing Views Updated:
0
  • CAPEC-to-CWE Mappings Added:
58
  • CAPEC-to-CWE Mappings Removed:
3
  • CAPEC-to-CAPEC Mappings Added:
63
  • CAPEC-to-CAPEC Mappings Removed:
3

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.8_v3.9.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

CAPEC List Version 3.8 Now Available

September 29, 2022 | Share this article

CAPEC Version 3.8 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.7 and Version 3.8.

Version 3.8 includes:

There were no schema updates.

Summary

There are now 555 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
10
  • Existing Attack Patterns Updated:
214
  • Attack Patterns Deprecated:
1
  • New Categories Added:
6
  • Existing Categories Updated:
3
  • Existing Categories Deprecated:
0
  • New Views Added:
1
  • Existing Views Updated:
0
  • CAPEC-to-CWE Mappings Added:
16
  • CAPEC-to-CWE Mappings Removed:
4
  • CAPEC-to-CAPEC Mappings Added:
40
  • CAPEC-to-CAPEC Mappings Removed:
3

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.7_v3.8.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

New CWE/CAPEC Board Member from University of Nebraska Omaha

September 9, 2022 | Share this article

Robin Gandhi of University of Nebraska Omaha has joined the CWE/CAPEC Board.

Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner.

CWE/CAPEC Podcast: “Using CWE/CAPEC in Education”

July 11, 2022 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our latest episode, “Using CWE/CAPEC in Education,” we chat with Pietro Braione of Università degli Studi di Milano - Bicocca about how he uses CWE and CAPEC to help in college-level classes to teach cybersecurity. How the taxonomy can help teach the breath of issues for software development is also discussed.

Out of Bounds Read podcast episode 8 - Using CWE/CAPEC in Education

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you!

Strobes Security Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

June 21, 2022 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Strobes Security – Strobes VI Advanced Vulnerability Intelligence correlates with CAPEC and other taxonomies to continuously maintain and upgrade its threat data.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

CAPEC/CWE Blog: “How to Effectively Utilize Hardware CWEs Across your Organization” Contributed by Jason Oberg of Tortuga Logic

May 15, 2022 | Share this article

The CAPEC/CWE Program is pleased to welcome the contribution of this CAPEC/CWE Blog article by Tortuga Logic, one of our key partners.

The article, “How to Effectively Utilize Hardware CWEs Across your Organization,” which discusses two ways that hardware CWE can be applied to enable higher levels of security assurance throughout semiconductor organizations, was written by Jason Oberg of Tortuga Logic, co-founder of Tortuga Logic.

It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CAPEC/CWE Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CAPEC/CWE Program of the product, process, or service, or its producer or provider.

Read the complete article on the CAPEC/CWE Blog on Medium.

CAPEC/CWE Blog: “The Missing Piece in Vulnerability Management” Contributed by Fil Filiposki of AttackForge

May 5, 2022 | Share this article

The CAPEC/CWE Program is pleased to welcome the contribution of this CAPEC/CWE Blog article by AttackForge, one of our key partners.

The article, “The Missing Piece in Vulnerability Management,” which discusses the need for normalizing pen testing results so they can be merged with vulnerability management systems — and how CAPEC is part of the solution, was written by Fil Filiposki, co-founder of AttackForge, and is our first-ever blog contributed by a CWE/CAPEC Program partner.

It should be noted that the views and opinions expressed in this article do not necessarily state or reflect those of the CWE/CAPEC Program, and any reference to a specific product, process, or service does not constitute or imply an endorsement by the CWE/CAPEC Program of the product, process, or service, or its producer or provider.

Read the complete article on the CAPEC/CWE Blog on Medium.

New CWE/CAPEC Board Member from Red Hat

May 5, 2022 | Share this article

Jeremy West of Red Hat, Inc. has joined the CWE/CAPEC Board.

Through open and collaborative discussions, CWE/CAPEC Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE/CAPEC entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE/CAPEC; and advocates who actively support and promote CWE/CAPEC throughout the community in a highly visible and responsible manner.

Six Transcripts from “CAPEC Program User Summit” Now Available

May 5, 2022 (Updated June 2, 2022) | Share this article

The transcripts below are now available from the first-ever “CAPEC Program User Summit.” Additional transcripts will be added as they become available.

Talking Exploits, Session 1 - Pen Testing and Execution Flows - Navaneeth Krishnan Subramanian, CAPEC/CWE Program New
The Missing Piece in Vulnerability Management, Session 1 - Pen Testing and Execution Flows - Fil Filiposki, AttackForge
Case Studies of Industry to Academics—CAPEC’s Role in Threat Management at SJU, Session 2 - Using CAPEC in Education - Suzanna Schmeelk, St. John's University
CAPEC Entry Completeness and Quality, Session 4 - CAPEC Coverage, Completeness, and Quality - Steve Christey Coley, CAPEC/CWE Program
Supply Chain Attacks—MITRE’s System of Trust™ and CAPEC, Session 5 - Supply Chain Risk and CAPEC - Robert A. Martin, MITRE Corporation
Community Discussion—Future Vision for the CAPEC Program, Session 6 - Community Discussion: Future Vision for CAPEC - Alec J. Summers (moderator), CAPEC/CWE Program

Thank you again to our presenters and everyone who attended this community event.

CAPEC/CWE Blog: “Celebrating the 15th Anniversary of CAPEC”

March 23, 2022 | Share this article

The CAPEC/CWE Team’s “Celebrating the 15th Anniversary of CAPEC” blog article reflects on the development of the project and the plans for the future, with collaboration of the CAPEC community. CWE is also discussed.

Read the complete article on the CAPEC/CWE Blog on Medium.

Videos from “CAPEC Program User Summit” Now Available

March 23, 2022 | Share this article

The videos below are now available on the CAPEC/CWE YouTube channel from the first-ever “CAPEC Program User Summit.”

Session 1 - Pen Testing and Execution Flows
Session 2 - Using CAPEC in Education
Session 3 - Hardware and CAPEC
Session 4 - CAPEC Entry Completeness and Quality
Session 5 - Supply Chain Risk and CAPEC
Session 6 - Community Discussion: Future Vision for CAPEC

Thank you again to our presenters and everyone who attended on February 23.

Join the CWE/CAPEC Rest API Working Group!

March 23, 2022 | Share this article

The objective of the “CWE/CAPEC Rest API Working Group” is to ease the interface between security software and hardware architects, EDA tool developers, verification engineers concerned about mitigating security risks in their products; and the databases themselves. A new RESTful API will be designed.

View the invitation to join the working group from Adam Cron of Synopsys, Chair of the CWE/CAPEC Rest API Working Group.

CAPEC/CWE Podcast: “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities”

March 23, 2022 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our seventh episode, “Why Cisco Uses CWE While Looking at Fixing Vulnerabilities,” we talk with Cisco’s Tim Wadhwa-Brown, Security Research and Offensive Security for Professional Services in Europe and Jared Pendleton, Advanced Security Initiatives Group about Cisco using CWE for finding and fixing vulnerabilities. They find it useful to help categorize the types of vulnerabilities to help determine the root cause of possible future vulnerabilities.

Out of Bounds Read podcast episode 7 - Why Cisco Uses CWE While Looking at Fixing_Vulnerabilities

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you!

Thank You “CAPEC Program User Summit” Attendees and Presenters

March 2, 2022 | Share this article

Thank you to everyone who attended last week’s first-ever “CAPEC Program User Summit,” and a very special thank you to our presenters:

Akond Rahman, Tennessee Tech University
Derek Chamorro, Cloudflare
Fil Filiposki, AttackForge
Kumar V Mangipudi, Lattice Semiconductor
Max Rak, University of Campania Luigi Vanvitelli
Suzanna Schmeelk, St. John's University
Robert A. Martin, The MITRE Corporation

And to our CAPEC Team members from MITRE:

Bob Heinemann
Gananand Kini
Navaneeth Subramanian

We’ll be posting videos of the summit sessions soon on our CAPEC/CWE YouTube channel, so keep an eye out!

CAPEC List Version 3.7 Now Available

February 25, 2022 | Share this article

CAPEC Version 3.7 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.6 and Version 3.7.

Version 3.7 includes:

  • Completed creation/updating of 56 execution flows.
  • Revamped definitions of 87 CAPEC entries, moving supplementary information to the new Extended_Description property introduced in release 3.6.

There were no schema updates.

Summary

There are now 546 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
0
  • Existing Attack Patterns Updated:
160
  • Attack Patterns Deprecated:
0
  • Existing Categories Updated:
1
  • Existing Categories Deprecated:
0
  • New Views Added:
0
  • Existing Views Updated:
0
  • CAPEC-to-CWE Mappings Added:
0
  • CAPEC-to-CWE Mappings Removed:
2
  • CAPEC-to-CAPEC Mappings Added:
0
  • CAPEC-to-CAPEC Mappings Removed:
0

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.6_v3.7.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Final Agenda for the “CAPEC Program User Summit” Now Available

February 22, 2022 | Share this article

The final agenda for the first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022, from 11:00 a.m. to 4:00 p.m. EST is below.

View a text version of the agenda here.


“CAPEC Program User Summit 2022 - Event Agenda”


Last Chance to Join Us for the “CAPEC Program User Summit” on February 23

February 22, 2022 | Share this article

Last chance to join the CAPEC community for the first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022 from 11:00 am to 4:00 pm EST. Program improvements, education and awareness, and modernization will be the focus areas for this event.

Register

Register for the event here.

Agenda

Attendees will have the opportunity to participate in subsequent discussions around the topics below.

Time Session
11:00 a.m. – 11:15 a.m. Welcome and Agenda Overview
11:15 a.m. – 12:00 p.m. Pen Testing and Execution Flows
12:00 p.m. – 12:30 p.m. Using CAPEC in Education
12:30 p.m. – 1:00 p.m. Break
1:00 p.m. – 1:45 p.m. Hardware and CAPEC
1:45 p.m. – 2:15 p.m. CAPEC Entry Completeness and Quality
2:15 p.m. – 2:45 p.m. Break
2:45 p.m. – 3:30 p.m. Supply Chain Risk and CAPEC
3:30 p.m. – 4:00 p.m. Community Discussion: Future Vision for CAPEC

CAPEC/CWE Podcast: “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar”

February 22, 2022 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our sixth episode, “Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar,” Larry Cashdollar of Akamai talks about the types of weaknesses in the many CVEs he has found as a CVE Numbering Authority and how the frequency of these weaknesses have changed. CAPEC is also mentioned.

Out of Bounds Read podcast episode 6 - Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you!

CAPEC/CWE Blog: “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop”

February 1, 2022 | Share this article

The CAPEC/CWE Team’s “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” blog article discusses how if your project uses or implements regular expressions, you need to check them for a weakness that might allow an attacker to stop your program from working. CAPEC is also discussed.

Read the complete article on the CAPEC/CWE Blog on Medium.

Don't Miss out! Join Us for the “CAPEC Program User Summit” on February 23!

January 13, 2022 (Updated February 3, 2022) | Share this article

Please join the CAPEC team for our first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022 from 10:30 am to 4:30 pm EST.

Program improvements, education and awareness, and modernization will be the focus areas for this event. Attendees will have the opportunity to participate in subsequent discussions around the following topics and more:

  • Assessing CAPEC offerings
  • User perceptions
  • Mitigating supply chain attacks with CAPEC
  • Using CAPEC’s execution flows (steps to perform an attack) as a playbook for pen testing
  • The CAPEC Program’s vision for the future of the program
  • Other topics suggested by attendees

A complete agenda and additional details will be available soon.

Register for the event here.

CAPEC/CWE Blog: “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques”

January 13, 2022 | Share this article

The CAPEC/CWE Team’s “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” blog article provides a primer on the often conflated HTTP (response/request) (splitting/smuggling) attack techniques as well as information about which CAPEC entries may help further distinguish between the two.

Read the complete article on the CAPEC/CWE Blog on Medium.

CWE/CAPEC Board Approves Version 1.0 of Board Charter

January 10, 2022 | Share this article

The CWE/CAPEC Board approved version 1.0 of the “CWE/CAPEC Board Charter” on January 7, 2022. The charter includes two main sections, “Board Overview and Member Responsibilities” and “Board Membership and Operations,” as well as a “Board Charter Review” section that describes the process for updating the charter. Along with version 1.0 of the charter document, the Board also approved the “CWE/CAPEC Program Professional Code of Conduct.”

CAPEC/CWE Communications Survey

January 6, 2022 | Share this article

The CAPEC/CWE Program requests your feedback on our communications efforts. We would like to learn what you think about the topics being covered on our CAPEC/CWE Blog and Out-of-Bounds Read podcast, as well as anything else that you want to see or learn more about?

Please respond to our “CAPEC/CWE Communications Survey” and share your thoughts today!

More information is available — Please select a different filter.
Page Last Updated or Reviewed: April 05, 2023