Gunnar Peterson's post on the new Common Attack Pattern Enumeration and Classification (CAPEC) project reminded me that MITRE is hosting a ton of these sorts of frameworks. Most of them are listed at measurablesecurity.mitre.org so I intend to refer to that portal from now on. It would be great to see related projects cooperate with MITRE's work. For example, the Web Application Security Consortium "Threat" Classification should be renamed to be an attack classification, consistent with the MITRE CAPEC enumeration. Similarly, it would be nice to see the Open Web Application Security Project Top Ten speak in terms of "attacks" rather than "flaws."
Overall I would like to see some rigorous thought applied to the use of security terms. For example, a recent SANS NewsBites said:
We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whether you think an annual or semi-annual or quarterly summary report is necessary or valuable?
Is this another identity crisis for the SANS Top 20 (as covered in my post Further Thoughts on SANS Top 20) or is someone saying "threat" when they mean "vulnerability," or...?
We need to have our terminology straight or we will continue to talk past each other.