Tuesday, May 29, 2007

Security Language

Gunnar Peterson's post on the new Common Attack Pattern Enumeration and Classification (CAPEC) project reminded me that MITRE is hosting a ton of these sorts of frameworks. Most of them are listed at measurablesecurity.mitre.org so I intend to refer to that portal from now on. It would be great to see related projects cooperate with MITRE's work. For example, the Web Application Security Consortium "Threat" Classification should be renamed to be an attack classification, consistent with the MITRE CAPEC enumeration. Similarly, it would be nice to see the Open Web Application Security Project Top Ten speak in terms of "attacks" rather than "flaws."

Overall I would like to see some rigorous thought applied to the use of security terms. For example, a recent SANS NewsBites said:

We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whether you think an annual or semi-annual or quarterly summary report is necessary or valuable?

Is this another identity crisis for the SANS Top 20 (as covered in my post Further Thoughts on SANS Top 20) or is someone saying "threat" when they mean "vulnerability," or...?

We need to have our terminology straight or we will continue to talk past each other.


Anonymous said...


Excellent post. I wholeheartedly agree. Precise language isn’t about picking nits, it’s about taking information security from folk art to science. You can’t have scientific progress if experts can’t speak to each other with precision.

Peterson’s work looks interesting; I hadn’t seen it before. I am aware of two other efforts aimed at increasing language precision; A Common Language for Computer Security Incidents and An Introduction to Factor Analysis of Information Risk.


-Ryan Heffernan

Axelle said...

CAPEC is there on http://measurablesecurity.mitre.org/ now (first column, third row).

Richard Bejtlich said...

Axelle, thanks, updated.

dre said...

owasp top ten 2007 was just released and it is based on attacks instead of flaws. it's a similar model to mitre capec and wasc threat classifications. i'm glad to see sans doing this as well with their top 20, which i heard is the plan. correct me if i'm wrong.