CVE<->CWE Mapping Guidance Materials

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE<->CWE Mapping Guidance Materials

asummers
Administrator

Good afternoon! I hope all is well.

 

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

 

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

 

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12th, if possible.

 

Looking forward to hearing from you all.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 


CWE Mapping Guidance Final.docx (6M) Download Attachment
CWE Mapping Guidance Quick Tips Final.docx (87K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: CVE<->CWE Mapping Guidance Materials

Joe Jarzombek

I particularly like the emphasized use of 1003 – Weaknesses for Simplified Mapping of Published Vulnerabilities. With all the focus on data protection and privacy, I’ll note the significance of ‘Exposure of Sensitive Information to an Unauthorized Actor’ as a key use case for CWE-1340: CISQ Data Protection Measures with process assessments associated with CMMC, HIPAA, CCPA, GDPR, etc.

Text

Description automatically generated

 

Regards,

 

   -Joe -

 

Joe Jarzombek, CSSLP 

Director for Government & Critical Infrastructure Programs

Email: [hidden email]  |  Mobile: 703 627-4644  |

https://www.synopsys.com/solutions/aerospace-defense.html

 

From: Alec J Summers <[hidden email]>
Sent: Wednesday, March 3, 2021 12:44 PM
To: CWE CAPEC Board <[hidden email]>
Cc: Rushi B Purohit <[hidden email]>; Chris Levendis <[hidden email]>
Subject: CVE<->CWE Mapping Guidance Materials

 

Good afternoon! I hope all is well.

 

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

 

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

 

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12th, if possible.

 

Looking forward to hearing from you all.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE<->CWE Mapping Guidance Materials

Fung, Jason M
In reply to this post by asummers

The documents are very good.  I like the attention to details to include a 1-pager vs. the full doc.  Feedback:

 

  • It would be useful to insert a link on the summary doc back to the primer.
  • My understanding is that View 1003 is software centric.  So, it may be misleading to have users start with that, especially I expect users who may need more help could be those from the HW space given it is newer.  Perhaps we can position:
    • For SW issues, start with View-1003
    • For HW issues, dive right into View-1194 (it is actually shorter than 1003)

 

- Jason

 

From: Alec J Summers <[hidden email]>
Sent: Wednesday, March 3, 2021 10:44 AM
To: CWE CAPEC Board <[hidden email]>
Cc: Rushi B Purohit <[hidden email]>; Chris Levendis <[hidden email]>
Subject: CVE<->CWE Mapping Guidance Materials

 

Good afternoon! I hope all is well.

 

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

 

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

 

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12th, if possible.

 

Looking forward to hearing from you all.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 

Reply | Threaded
Open this post in threaded view
|

Re: CVE<->CWE Mapping Guidance Materials

asummers
Administrator
In reply to this post by asummers

Good afternoon/morning :-)

I hope you all had a great weekend.

 

I wanted to send a quick note to follow-up on this guidance material which I sent a few weeks ago. The team has been working to absorb the feedback we received from some of you, as well as some that we received during the Compatibility Summit last week.

 

If you haven’t yet had the chance to get back to us, there is still time and we are keen to hear from you. Our plan is to publish these materials on our site and share them with the wider community sometime next week.

 

Thanks for your continued support!

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 

 

From: Alec J Summers <[hidden email]>
Date: Wednesday, March 3, 2021 at 1:44 PM
To: CWE CAPEC Board <[hidden email]>
Cc: Rushi B Purohit <[hidden email]>, Chris Levendis <[hidden email]>
Subject: CVE<->CWE Mapping Guidance Materials

 

Good afternoon! I hope all is well.

 

The last time we met, I discussed the guidance effort that we have been working in an effort to better help CNAs map their CVEs to CWE more accurately and efficiently. I am happy to share with you all the materials that the team has put together on this. These documents are the result of a collaborative effort across a number of industry stakeholders (including Batelle, Red Hat, and the CVE Quality Working Group) with a subset of the CWE team led by Rushi Purohit. I applaud their efforts!

 

You’ll find there are two items: 1) a one-page “quick-tips” and 2) a more robust product with more details and specific mapping strategies and examples

 

We would love to hear your thoughts and comments on these documents. It is our intent to publish them on our site and to share them with the wider CWE/CAPEC community through other channels in the near future. We are hoping that you could provide feedback by COB Friday, March 12th, if possible.

 

Looking forward to hearing from you all.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World