|
|
|
Administrator
|
Dear CWE Community,
We are thrilled to announce that CWE version 4.3 is now available on our website –
https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.
A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff report), but
below I have listed some of the key highlights:
1) Twenty (20) new hardware weaknesses:
2) Five (5) new software weaknesses:
3) One (1) new software view: CWE-1340: CISQ Data Protection Measures
4) Updated relationships for 113 existing entries
We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for your continued support of the CWE project.
Cheers,
Alec
--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
|
|
|
Kurt,
We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves. But the expansion to hardware is definitely producing some overloaded terms. “IP” is another
example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)
In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.
CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that
a reader might have. I think your suggestion for a slight rephrase is a good one.
- Steve
One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying
it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.
On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:
Dear CWE Community,
We are thrilled to announce that CWE version 4.3 is now available on our website –
https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.
A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff
report), but below I have listed some of the key highlights:
1) Twenty (20) new hardware weaknesses:
2) Five (5) new software weaknesses:
3) One (1) new software view: CWE-1340: CISQ Data Protection Measures
4) Updated relationships for 113 existing
entries
We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for
your continued support of the CWE project.
Cheers,
Alec
--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
--
|
|
|
On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey < [hidden email]> wrote:
Kurt,
We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves.
That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."
It's not a common language if we rely upon the reader to determine what it means.
But the expansion to hardware is definitely producing some overloaded terms. “IP” is another
example, where software entries are discussing “Internet Protocol” whereas hardware entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)
Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem.
In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.
Agreed, but we can give them context.
CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although it still does not address the temporary confusion that
a reader might have. I think your suggestion for a slight rephrase is a good one.
Thanks, reducing cognitive load will make this much easier to consume.
- Steve
One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then I reread the title and got it). Should we consider clarifying
it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.
On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:
Dear CWE Community,
We are thrilled to announce that CWE version 4.3 is now available on our website –
https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.
A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff
report), but below I have listed some of the key highlights:
1) Twenty (20) new hardware weaknesses:
2) Five (5) new software weaknesses:
3) One (1) new software view: CWE-1340: CISQ Data Protection Measures
4) Updated relationships for 113 existing
entries
We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for
your continued support of the CWE project.
Cheers,
Alec
--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
--
--
|
|
|
The verbosity definitely helps to minimize confusion. The flip side is that it does not enhance the reading pleasure for practitioners in the domain keep seeing common phrases got expanded out. To them, these terms are obvious. Need
to find ways to strike a balance.
For example, does our publishing system support suggestion of link insertions (to be reviewed and approved by editor) for terms appeared in glossary and have them linked back to the glossary to improve clarity?
- Jason
From: Kurt Seifried <[hidden email]>
Sent: Friday, December 11, 2020 9:30 AM
To: Steven M Christey <[hidden email]>
Cc: Alec J Summers <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!
On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey <[hidden email]> wrote:
Kurt,
We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves.
That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."
It's not a common language if we rely upon the reader to determine what it means.
But the expansion to hardware is definitely producing some overloaded terms. “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware
entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)
Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem.
In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.
Agreed, but we can give them context.
CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although
it still does not address the temporary confusion that a reader might have. I think your suggestion for a slight rephrase is a good one.
Thanks, reducing cognitive load will make this much easier to consume.
- Steve
One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then
I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.
On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:
Dear CWE Community,
We are thrilled to announce that CWE version 4.3 is now available on our website –
https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.
A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff
report), but below I have listed some of the key highlights:
1) Twenty (20) new hardware weaknesses:
2) Five (5) new software weaknesses:
3) One (1) new software view: CWE-1340: CISQ Data Protection Measures
4) Updated relationships for 113 existing
entries
We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for
your continued support of the CWE project.
Cheers,
Alec
--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
--
--
|
|
|
A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping
“hardware” in subsequent uses. The impact to readability could then be minimized.
In the first 10 years of CWE or so, the web site would highlight glossary words in descriptions, and the user could mouse over them to see “tool tips,” although the highlighting could be visually distracting and only worked on individual
web pages. It seems feasible to do some kind of link insertions that lead directly to the glossary.
- Steve
The verbosity definitely helps to minimize confusion. The flip side is that it does not enhance the reading pleasure for practitioners in the domain keep seeing common phrases got expanded out. To them, these terms are obvious. Need
to find ways to strike a balance.
For example, does our publishing system support suggestion of link insertions (to be reviewed and approved by editor) for terms appeared in glossary and have them linked back to the glossary to improve clarity?
- Jason
From: Kurt Seifried <[hidden email]>
Sent: Friday, December 11, 2020 9:30 AM
To: Steven M Christey <[hidden email]>
Cc: Alec J Summers <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: Re: CWE Version 4.3 is Now Available!
On Fri, Dec 11, 2020 at 9:46 AM Steven M Christey <[hidden email]> wrote:
Kurt,
We have not had any well-defined strategy for overloaded terms yet, as we’ve been relying more on the reader to make the determination themselves.
That goes in direct contradiction of "It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts."
It's not a common language if we rely upon the reader to determine what it means.
But the expansion to hardware is definitely producing some overloaded terms. “IP” is another example, where software entries are discussing “Internet Protocol” whereas hardware
entries are using it for an “Intellectual Property” (which is a well-understood, commonly-used term within the hardware domain.)
Simple solution: when you mean IP (Internet Protocol) you say so, and when you mean IP (Intellectual Property) you say so. Be explicit. It's not like serving a little more text is going to be a problem.
In general, we try to use terms that might be too vague or easily misinterpreted by readers, but when it comes to well-accepted terms like “IP” or “fabric” we can’t avoid them.
Agreed, but we can give them context.
CWE does have a glossary, but that’s generally been intended for CWE-defined terms. It would not be difficult to update the glossary to include some of these overloaded terms, although
it still does not address the temporary confusion that a reader might have. I think your suggestion for a slight rephrase is a good one.
Thanks, reducing cognitive load will make this much easier to consume.
- Steve
One comment: what is the CWE strategy for dealing with overloaded terms like "fabric", when I first saw it my mind went too Hyperledger Fabric and not a hardware fabric (and then
I reread the title and got it). Should we consider clarifying it, e.g. "hardware fabric" to make it really clear? The CWE itself is hardware specific so I don't see any harm in putting the term in the title.
On Thu, Dec 10, 2020 at 5:56 PM Alec J Summers <[hidden email]> wrote:
Dear CWE Community,
We are thrilled to announce that CWE version 4.3 is now available on our website –
https://cwe.mitre.org. Thank you to all our content submitters for your time and efforts to collaborate and make this release possible.
A detailed report listing the specific changes between Version 4.2 and 4.3 can be found here (diff
report), but below I have listed some of the key highlights:
1) Twenty (20) new hardware weaknesses:
2) Five (5) new software weaknesses:
3) One (1) new software view: CWE-1340: CISQ Data Protection Measures
4) Updated relationships for 113 existing
entries
We are really excited about this release, and we look forward to you diving into the new content. On behalf of the CWE Team, thank you for
your continued support of the CWE project.
Cheers,
Alec
--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World
--
--
Kurt Seifried
[hidden email]
|
|
|
On Fri, Dec 11, 2020 at 2:13 PM Steven M Christey < [hidden email]> wrote:
>
> A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping “hardware” in subsequent uses. The impact to readability could then be minimized.
I believe fabric is a colloquial, not an abbreviation. Colloquials are
closer to slang and should be avoided. For example, "losing my
religion" is a colloquial in the southern US which means "losing one's
temper". Many folks outside the southern US don't know what it means.
I can only imagine the problems it causes in different languages and
cultures.
I think the same applies to fabric. It is slang in the hardware world
for the switching fabric and associated circuitry. It is not clear to
me all folks in the software world know what it is, and if the term is
known in other parts of the world.
Jeff
|
|
|
I've run into this with my CSA work and my solution is to build a glossary for words, and support multiple contexts, e.g. "security" ("a security" or security in general?). There's a lot of mess between the cloud and blockchain worlds, for example it's now accepted in the blockchain world to call a weakness/vulnerability "an attack" (and ... yeah, I tried to sort of argue it, and it was clear everyone else was using it differently). On Fri, Dec 11, 2020 at 1:12 PM Jeffrey Walton < [hidden email]> wrote: On Fri, Dec 11, 2020 at 2:13 PM Steven M Christey <[hidden email]> wrote:
>
> A common writing practice for acronyms is to expand them the first time they’re mentioned, then use just use the acronym afterward. This could also be done for other terms, such as using “hardware fabric” the first time it appears and dropping “hardware” in subsequent uses. The impact to readability could then be minimized.
I believe fabric is a colloquial, not an abbreviation. Colloquials are
closer to slang and should be avoided. For example, "losing my
religion" is a colloquial in the southern US which means "losing one's
temper". Many folks outside the southern US don't know what it means.
I can only imagine the problems it causes in different languages and
cultures.
I think the same applies to fabric. It is slang in the hardware world
for the switching fabric and associated circuitry. It is not clear to
me all folks in the software world know what it is, and if the term is
known in other parts of the world.
Jeff
--
|
|
Locked
