[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: vulnerability definitions

Terminology was mentioned, I just sent this to the CVSS list.

 - Art


A "vulnerability" is a weakness in the computational logic (e.g., code)
found in software and some hardware components (e.g., firmware) that,
when exploited, results in a negative impact to confidentiality,
integrity, OR availability.




(collection of other known definitions)

NISTIR 8151:

"...one or more weaknesses that can be accidentally triggered or
intentionally exploited and result in a violation of desired system
properties. A weakness is an undesired characteristic of a system’s
requirements, design or implementation."


(I like this one, but don't think the "accidentally triggered" bit is

ISO 27000:
weakness of an asset or control (2.16) that can be exploited by one or
more threats (2.83)

(Too generic?)

ISO 29147:
weakness of software, hardware, or online service that can be exploited

functional behaviour of a product or online service that violates an
implicit or explicit security policy (revised)

set of conditions or behavior that violates an implicit or explicit
security policy (my personal version)

"Implicit" policy is equivalent to NIST's "desired system properties,"
e.g., my implicit policy is that arbitrary code shouldn't execute when I
open a PDF file.

 - Art

Page Last Updated or Reviewed: February 09, 2017