CWE Version 4.3 is Now Available!

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE Version 4.3 is Now Available!

asummers
Administrator

Dear CWE Community,

 

We are thrilled to announce that CWE version 4.3 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.

 

A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but below I have listed some of the key highlights:

 

1) Twenty (20) new hardware weaknesses:

 

2) Five (5) new software weaknesses:

 

3) One (1) new software view: CWE-1340: CISQ Data Protection Measures

 

4) Updated relationships for 113 existing entries

 

We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 

Reply | Threaded
Open this post in threaded view
|

RE: CWE Version 4.3 is Now Available!

Christey, Steven M.

Kurt,

 

We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves.  But the expansion to hardware is definitely producing some overloaded terms.  “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)

 

In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.

 

CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that a reader might have.  I think your suggestion for a slight rephrase is a good one.

 

- Steve

 

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, December 10, 2020 9:46 PM
To: Alec J Summers <[hidden email]>
Cc: CWE Development Announcements <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.

 

On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:

Dear CWE Community,

 

We are thrilled to announce that CWE version 4.3 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.

 

A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but below I have listed some of the key highlights:

 

1) Twenty (20) new hardware weaknesses:

 

2) Five (5) new software weaknesses:

 

3) One (1) new software view: CWE-1340: CISQ Data Protection Measures

 

4) Updated relationships for 113 existing entries

 

We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CWE Version 4.3 is Now Available!

Kurt Seifried


On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey <[hidden email]> wrote:

Kurt,

 

We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves. 


That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."

It's not a common language if we rely upon the reader to determine what it means. 

 

But the expansion to hardware is definitely producing some overloaded terms.  “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)


Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem. 

In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.


Agreed, but we can give them context.
  

CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that a reader might have.  I think your suggestion for a slight rephrase is a good one.


Thanks, reducing cognitive load will make this much easier to consume.


 

 

- Steve

 

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, December 10, 2020 9:46 PM
To: Alec J Summers <[hidden email]>
Cc: CWE Development Announcements <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.

 

On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:

Dear CWE Community,

 

We are thrilled to announce that CWE version 4.3 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.

 

A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but below I have listed some of the key highlights:

 

1) Twenty (20) new hardware weaknesses:

 

2) Five (5) new software weaknesses:

 

3) One (1) new software view: CWE-1340: CISQ Data Protection Measures

 

4) Updated relationships for 113 existing entries

 

We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 


 

--

Kurt Seifried
[hidden email]



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: CWE Version 4.3 is Now Available!

Fung, Jason M

The verbosity definitely helps to minimize confusion.  The flip side is that it does not enhance the reading pleasure for practitioners in the domain keep seeing common phrases got expanded out.  To them, these terms are obvious.  Need to find ways to strike a balance.

 

For example, does our publishing system support suggestion of link insertions (to be reviewed and approved by editor) for terms appeared in glossary and have them linked back to the glossary to improve clarity?

 

- Jason

 

From: Kurt Seifried <[hidden email]>
Sent: Friday, December 11, 2020 9:30 AM
To: Steven M Christey <[hidden email]>
Cc: Alec J Summers <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

 

 

On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey <[hidden email]> wrote:

Kurt,

 

We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves. 

 

That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."

 

It's not a common language if we rely upon the reader to determine what it means. 

 

 

But the expansion to hardware is definitely producing some overloaded terms.  “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)

 

Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem. 

 

In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.

 

Agreed, but we can give them context.

  

CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that a reader might have.  I think your suggestion for a slight rephrase is a good one.

 

Thanks, reducing cognitive load will make this much easier to consume.

 

 

 

 

- Steve

 

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, December 10, 2020 9:46 PM
To: Alec J Summers <[hidden email]>
Cc: CWE Development Announcements <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.

 

On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:

Dear CWE Community,

 

We are thrilled to announce that CWE version 4.3 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.

 

A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but below I have listed some of the key highlights:

 

1) Twenty (20) new hardware weaknesses:

 

2) Five (5) new software weaknesses:

 

3) One (1) new software view: CWE-1340: CISQ Data Protection Measures

 

4) Updated relationships for 113 existing entries

 

We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 


 

--

Kurt Seifried
[hidden email]


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: CWE Version 4.3 is Now Available!

Christey, Steven M.

A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping “hardware” in subsequent uses. The impact to readability could then be minimized.

 

In the first 10 years of CWE or so, the web site would highlight glossary words in descriptions, and the user could mouse over them to see “tool tips,” although the highlighting could be visually distracting and only worked on individual web pages. It seems feasible to do some kind of link insertions that lead directly to the glossary.

 

- Steve

 

 

From: Fung, Jason M <[hidden email]>
Sent: Friday, December 11, 2020 1:38 PM
To: Seifried, Kurt <[hidden email]>; Steven M Christey <[hidden email]>
Cc: Alec J Summers <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: RE: CWE Version 4.3 is Now Available!

 

The verbosity definitely helps to minimize confusion.  The flip side is that it does not enhance the reading pleasure for practitioners in the domain keep seeing common phrases got expanded out.  To them, these terms are obvious.  Need to find ways to strike a balance.

 

For example, does our publishing system support suggestion of link insertions (to be reviewed and approved by editor) for terms appeared in glossary and have them linked back to the glossary to improve clarity?

 

- Jason

 

From: Kurt Seifried <[hidden email]>
Sent: Friday, December 11, 2020 9:30 AM
To: Steven M Christey <[hidden email]>
Cc: Alec J Summers <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

 

 

On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey <[hidden email]> wrote:

Kurt,

 

We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves. 

 

That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."

 

It's not a common language if we rely upon the reader to determine what it means. 

 

 

But the expansion to hardware is definitely producing some overloaded terms.  “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)

 

Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem. 

 

In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.

 

Agreed, but we can give them context.

  

CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that a reader might have.  I think your suggestion for a slight rephrase is a good one.

 

Thanks, reducing cognitive load will make this much easier to consume.

 

 

 

 

- Steve

 

 

From: Kurt Seifried <[hidden email]>
Sent: Thursday, December 10, 2020 9:46 PM
To: Alec J Summers <[hidden email]>
Cc: CWE Development Announcements <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!

 

One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.

 

On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:

Dear CWE Community,

 

We are thrilled to announce that CWE version 4.3 is now available on our website – https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.

 

A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but below I have listed some of the key highlights:

 

1) Twenty (20) new hardware weaknesses:

 

2) Five (5) new software weaknesses:

 

3) One (1) new software view: CWE-1340: CISQ Data Protection Measures

 

4) Updated relationships for 113 existing entries

 

We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World

 


 

--

Kurt Seifried
[hidden email]


 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CWE Version 4.3 is Now Available!

Jeffrey Walton
On Fri, Dec 11, 2020 at 2:13 PM Steven M Christey <[hidden email]> wrote:
>
> A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping “hardware” in subsequent uses. The impact to readability could then be minimized.

I believe fabric is a colloquial, not an abbreviation. Colloquials are
closer to slang and should be avoided. For example, "losing my
religion" is a colloquial in the southern US which means "losing one's
temper". Many folks outside the southern US don't know what it means.
I can only imagine the problems it causes in different languages and
cultures.

I think the same applies to fabric. It is slang in the hardware world
for the switching fabric and associated circuitry. It is not clear to
me all folks in the software world know what it is, and if the term is
known in other parts of the world.

Jeff
Reply | Threaded
Open this post in threaded view
|

Re: CWE Version 4.3 is Now Available!

Kurt Seifried
I've run into this with my CSA work and my solution is to build a glossary for words, and support multiple contexts, e.g. "security" ("a security" or security in general?). There's a lot of mess between the cloud and blockchain worlds, for example it's now accepted in the blockchain world to call a weakness/vulnerability "an attack" (and ... yeah, I tried to sort of argue it, and it was clear everyone else was using it differently). 

On Fri, Dec 11, 2020 at 1:12 PM Jeffrey Walton <[hidden email]> wrote:
On Fri, Dec 11, 2020 at 2:13 PM Steven M Christey <[hidden email]> wrote:
>
> A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping “hardware” in subsequent uses. The impact to readability could then be minimized.

I believe fabric is a colloquial, not an abbreviation. Colloquials are
closer to slang and should be avoided. For example, "losing my
religion" is a colloquial in the southern US which means "losing one's
temper". Many folks outside the southern US don't know what it means.
I can only imagine the problems it causes in different languages and
cultures.

I think the same applies to fabric. It is slang in the hardware world
for the switching fabric and associated circuitry. It is not clear to
me all folks in the software world know what it is, and if the term is
known in other parts of the world.

Jeff


--
Kurt Seifried
[hidden email]