CAPEC - Common Attack Pattern Enumerations and Classifications

2021 Archive - CAPEC/CWE Podcast: “CWE and Hardware Security”

News & Events

2021 Archive

CAPEC/CWE Podcast: “CWE and Hardware Security”

November 7, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our fifth episode, “CWE and Hardware Security,” hardware experts discuss hardware CWEs and the “2021 CWE™ Most Important Hardware Weaknesses List,” including how the list will help the community, their favorite entries and surprising items on the list, and stories around hardware weaknesses. CAPEC is also a discussion topic.

Interviewees include Jason Fung, Director of Offensive Security Research and Academic Research Engagement at Intel; Jason Oberg, Cofounder and Chief Technology Officer at Tortuga Logic; Paul Wortman, Cybersecurity Research Scientist at Wells Fargo; Jasper von Woudenberg, CTO of Riscure North America and co-author of the “Hardware Hacking Handbook”; and Nicole Fern, Senior Security Analyst at Riscure.

Out of Bounds Read podcast episode 5 - CWE and Hardware

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you!

Back to top

CAPEC/CWE Blog: “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money”

November 2, 2021 | Share this article

The CAPEC/CWE Team’s “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” blog article discusses the importance of making sure you know the limits of the problem you are trying to solve and of testing up to those limits.

Read the complete article on the CAPEC/CWE Blog on Medium.

Back to top

CAPEC List Version 3.6 Now Available

October 21, 2021 | Share this article

CAPEC Version 3.6 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.5 and Version 3.6.

Version 3.6 includes:

The schema was updated to add the Extended_Description property.

Summary

There are now 546 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
 6
  • Existing Attack Patterns Updated:
 70
  • Attack Patterns Deprecated:
 1
  • Existing Categories Updated:
 0
  • Existing Categories Deprecated:
 0
  • New Views Added:
 0
  • Existing Views Updated:
 0
  • CAPEC-to-CWE Mappings Added:
34
  • CAPEC-to-CWE Mappings Removed:
42
  • CAPEC-to-CAPEC Mappings Added:
46
  • CAPEC-to-CAPEC Mappings Removed:
1

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.5_v3.6.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Back to top

CAPEC Also Discussed in “The CWE 15th Anniversary Special” Podcast

October 21, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

CAPEC is a main discussion topic in “The CWE 15th Anniversary Special” podcast episode, a special cybersecurity awareness month podcast where the 15-year history and future of the CWE/CAPEC program are discussed with those who made significant contributions to both CAPEC and CWE: Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE; Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis; Chris Eng, Chief Research Officer at Veracode; Chris Levendis, CWE/CAPEC Program Leader at MITRE; and Drew Buttner, Software Assurance Capability Area Lead at MITRE.

Out of Bounds Read podcast episode 4 - The CWE 15th Anniversary Special

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you!

Back to top

CAPEC/CWE Blog: “The Most Important CWEs and CAPECs to Pay Attention to When Building Software”

October 7, 2021 | Share this article

The CAPEC/CWE Team’s “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” blog article includes 5 checks for your development process.

Read the complete article on the CAPEC/CWE Blog on Medium.

Back to top

CAPEC/CWE Podcast: “What is CAPEC, Why is It important, and How Can it Help Me?”

September 1, 2021 | Share this article

The CAPEC/CWE Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our “What is CAPEC, Why is It important, and How Can it Help Me?” episode, Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) is and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future.

Out of Bounds Read podcast episode 2 - What is CAPEC, Why is It important, and How Can it Help Me?

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you!

Back to top

Riskaware Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

July 9, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Riskaware – CyberAware Predict uses CAPEC to determine potential adversary techniques from scanned vulnerabilities and detected exploits.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

Back to top

CAPEC List Version 3.5 Now Available

June 24, 2021 | Share this article

CAPEC Version 3.5 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.4 and Version 3.5.

Version 3.5 includes:

There were no schema updates.

Summary

There are now 541 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
 14
  • Existing Attack Patterns Updated:
 127
  • Attack Patterns Deprecated:
 0
  • Existing Categories Updated:
 0
  • Existing Categories Deprecated:
 0
  • New Views Added:
 0
  • Existing Views Updated:
 0
  • CAPEC-to-CWE Mappings Added:
46
  • CAPEC-to-CWE Mappings Removed:
69
  • CAPEC-to-CAPEC Mappings Added:
46
  • CAPEC-to-CAPEC Mappings Removed:
2

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.4_v3.5.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Back to top

Rapid7 Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

May 6, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Rapid7 – InsightAppSec leverages CAPEC to provide detailed references to its findings.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

Back to top

Virsec Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

March 10, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Virsec – Virsec Web Attack Simulator fuzzes application URLs based on CAPEC attack patterns.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

Back to top

AttackForge Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

February 25, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

AttackForge – includes a pre-populated CAPEC library to help manage pen testing.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

Back to top
More information is available — Please select a different filter.
OSINT Newsletter April 2022 - 26 de abr. de 2022