Common Attack Pattern Enumeration and Classification

News & Events

Current News | Twitter | LinkedIn | YouTube | Podcast | Blog | News Archive

2012 Archive

CAPEC/CWE/MAEC/SwA briefings at DHS/DoD SwA Working Group Meeting Session

CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about Common Attack Pattern Enumeration and Classification (CAPEC™), CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Common Weakness Enumeration (CWE™), and MAEC Program Manager Penny Chase presented a briefing about Malware Attribute Enumeration and Characterization (MAEC™), to the DHS/DoD SwA Working Group Meeting Session on November 27-29, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE/MAEC/SwA briefings at DHS/DoD SwA Working Group Meeting Session, November 27-29

CAPEC/CWE Co-Founder and Architect Sean Barnum will present a briefing about Common Attack Pattern Enumeration and Classification (CAPEC™), CWE/CAPEC Program Manager Robert A. Martin will present a briefing about Common Weakness Enumeration (CWE™), and MAEC Program Manager Penny Chase will present a briefing about Malware Attribute Enumeration and Characterization (MAEC™), to the DHS/DoD SwA Working Group Meeting Session on November 27-29, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/Making Security Measurable Booth and SwA-Related Briefings at IT Security Automation Conference 2012

MITRE hosted a CAPEC/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

In addition, Common Weakness Enumeration (CWE™), Structured Threat Information Expression (STIX™), Trusted Automated eXchange of Indicator Information (TAXII™), Malware Attribute Enumeration and Characterization (MAEC™), and Open Vulnerability and Assessment Language (OVAL®) were briefing discussion topics.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/STIX/MAEC/CWE/SwA Briefings at DHS/DoD SwA Forum Session

CWE/CAPEC/CybOX/STIX Program Manager Robert A. Martin, CWE/CAPEC/CybOX/STIX Co-Founder and Architect Sean Barnum, and Oxford Brookes University’s Clive Blackwell presented a briefing on September 18th entitled "Continuous Monitoring via Software Assurance Automation" that included discussion of the Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), Malware Attribute Enumeration and Characterization (MAEC™), and Structured Threat Information Expression (STIX™) efforts to the DHS/DoD SwA Forum Session on September 18-20, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/STIX/MAEC/CWE/SwA Briefings at DHS/DoD SwA Forum Session, September 18-20

CWE/CAPEC/CybOX/STIX Program Manager Robert A. Martin, CWE/CAPEC/CybOX/STIX Co-Founder and Architect Sean Barnum, and Oxford Brookes University’s Clive Blackwell will present a briefing on September 18th entitled "Continuous Monitoring via Software Assurance Automation" that will include discussion of the Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), Malware Attribute Enumeration and Characterization (MAEC™), and Structured Threat Information Expression (STIX™) efforts to the DHS/DoD SwA Forum Session on September 18-20, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

MITRE Hosts CAPEC/Making Security Measurable Booth at 2012 Information Assurance Expo

MITRE hosted a CAPEC/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CAPEC Calendar for information on this and other events.

CWE/CWRAF Briefing at GFIRST 2012

CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a two-part briefing about Common Weakness Enumeration (CWE™) and Common Weakness Risk Analysis Framework (CWRAF™) entitled "Measuring Software Security, Parts 1&2" at GFIRST 2012 on August 21, 2012 in Atlanta, Georgia, USA.

Visit the CAPEC Calendar for information on this and other events.

MITRE to Host CAPEC/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30

MITRE will host a CAPEC/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!

Visit the CAPEC Calendar for information on this and other events.

CWE/CWRAF Briefing at GFIRST 2012, August 21

CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a two-part briefing about Common Weakness Enumeration (CWE™) and Common Weakness Risk Analysis Framework (CWRAF™) entitled "Measuring Software Security, Parts 1&2" at GFIRST 2012 on August 21, 2012 in Atlanta, Georgia, USA. The conference itself runs August 19-24.

Visit the CAPEC Calendar for information on this and other events.

MITRE Hosts CAPEC/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE hosted a CAPEC/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

In addition, CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented a briefing about Structured Threat Information eXpression (STIX™) on July 25.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/STIX Keynote Briefing at CyberPatterns 2012, July 10

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented a keynote briefing entitled “Leveraging Structured Pattern Representations for Cyber Threat Management” that focused on Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), and Structured Threat Information eXpression (STIX™) at CyberPatterns 2012 on July 10, 2012 in Abingdon, Oxfordshire, United Kingdom.

Briefing Slides from Security Automation Developer Days 2012 Now Available

Briefing presentations from the Cyber Observable Expression (CybOX™) and the Trusted Automated eXchange of Indicator Information (TAXII™)/Structured Threat Information eXpression (STIX™) sessions at the Security Automation Developer Days 2012 conference on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events and Participation page on the Making Security Measurable Web site. Briefing slides from the 20 other presentations at the event are also included.

CAPEC/CybOX/STIX Keynote Briefing at CyberPatterns 2012, July 10

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present a keynote briefing entitled “Leveraging Structured Pattern Representations for Cyber Threat Management” that focuses on Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), and Structured Threat Information eXpression (STIX) at CyberPatterns 2012 on July 10, 2012 in Abingdon, Oxfordshire, United Kingdom.

Visit the CAPEC Calendar for information on this and other events.

MITRE to Host CAPEC/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE will host a CAPEC/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/CWE Briefings at DHS/DoD/NIST SwA Working Group Meeting

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented briefings about CAPEC and Cyber Observable Expression (CybOX™), and CWE/CybOX/CAPEC Program Manager Robert A. Martin presented a briefing about Common Weakness Enumeration (CWE™), to the DHS/DoD SwA Working Group Meeting Session on June 25-29, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/CWE/SwA Briefings at DHS/DoD/NIST SwA Working Group Meeting, June 26-28

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present briefings about CAPEC and Cyber Observable Expression (CybOX™), and CWE/CybOX/CAPEC Program Manager Robert A. Martin will present a briefing about Common Weakness Enumeration (CWE™), to the DHS/DoD SwA Working Group Meeting Session on June 26-28, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

Agenda Now Available for MITRE’s Security Automation Developer Days 2012 on July 9-13

The agenda for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.

For registration, lodging, and other conference details visit the conference registration page. Please note that registration will close on June 15.

CWE/CWSS/CWRAF Briefing and SwA Supply Chain Risk Management Briefing at (ISC)² SecureSDLC 2012

CAPEC/CWE/CybOX Program Manager Robert A. Martin presented a briefing about Common Weakness Enumeration (CWE™), Common Weakness Scoring System (CWSS™), and Common Weakness Risk Analysis Framework (CWRAF™) entitled "The Software Industry’s ‘Clean Water Act’ Alternative", and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a briefing entitled "Software Security Assurance: Software Supply Chain Risk Management," at (ISC)² SecureSDLC 2012 on May 17, 2012 in Washington, D.C., USA.

Visit the CAPEC Calendar for information on this and other events.

CWE/CWSS/CWRAF Briefing and SwA Supply Chain Risk Management Briefing at (ISC)² SecureSDLC 2012, May 17

CAPEC/CWE/CybOX Program Manager Robert A. Martin will present a briefing about CWE, Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF) entitled "The Software Industry’s ‘Clean Water Act’ Alternative", and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a briefing entitled "Software Security Assurance: Software Supply Chain Risk Management," at (ISC)² SecureSDLC 2012 on May 17, 2012 in Washington, D.C., USA.

Visit the CAPEC Calendar for information on this and other events.

Registration Now Open for Security Automation Developer Days 2012, July 9-13

MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.

MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

CAPEC List Version 1.7.1 Now Available

CAPEC Version 1.7.1 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 1.7 and Version 1.7.1.

Changes for the new minor version release include: adding a new CWE mapping, CAPEC-113 (API Abuse/Misuse) mapped to Common Weakness Enumeration (CWE™) identifier CWE-676 (Use of Potentially Dangerous Function); adding new summary descriptions for CAPEC-223 (Probabilistic Techniques), CAPEC-225 (Exploitation of Authentication), CAPEC-232 (Exploitation of Privilege/Trust), and CAPEC-255 (Data Structure Attacks); and modifying the summary description for CAPEC-156 (Spoofing).

CAPEC Schema updates included modifying the schema import so that CAPEC Version 1.7.1 now imports Cyber Observable eXpression (CybOX™) Version 1.0 (Draft).

Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list.

CAPEC/CWE/SAFES and CWRAF Briefings at Systems & Software Technology Conference 2012

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented a briefing about multi-perspective risk analysis that included discussion of CAPEC, Common Weakness Enumeration (CWE™), and Software Assurance Findings Expression Schema (SAFES), and CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security(DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a briefing about the CWE Common Weakness Risk Analysis Framework (CWRAF), at the Systems & Software Technology Conference 2012 on April 23-26, 2012 in Salt Lake City, Utah, USA

Visit the CAPEC Calendar for information on this and other events.

“Software Assurance in the DoD” Discussion Panel at Security Solutions 2012

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum participated on a discussion panel entitled “Software Assurance in the DoD” at Security Solutions 2012 on April 16-19, 2012 in Tampa, Florida, USA.

CAPEC/CWRAF Briefings at Systems & Software Technology Conference 2012, April 23-26

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, and CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a briefing about the CWE Common Weakness Risk Analysis Framework (CWRAF), at the Systems & Software Technology Conference 2012 on April 23-26, 2012 in Salt Lake City, Utah, USA

Visit the CAPEC Calendar for information on this and other events.

MITRE Hosts CAPEC/Making Security Measurable Booth at InfoSec World 2012

MITRE hosted a CAPEC/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CAPEC, CybOX, MAEC, CEE, CWE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/CWE/MAEC Briefings at DHS/DoD/NIST SwA Forum

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented briefings about CAPEC and CybOX, CWE/CAPEC/CybOX Program Manager Robert A. Martin presented a briefing about CWE, and MAEC Program Manager Penny Chase and MAEC Architect Ivan Kirillov presented a briefing about MAEC at the DHS/DoD/NIST SwA Forum on March 26–30, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC List Version 1.7 Now Available

CAPEC Version 1.7 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 1.6 and Version 1.7.

Changes for the new release include: 14 new patterns; 30 existing patterns fleshed out to Complete status; modification of the Attack_Motivation-Consequences structure to a more expressive one that aligns with the Common_Consequences structure of the Common Weakness Enumeration (CWE) List, which included conversion of existing content in 187 patterns; mappings to CWE updated for 39 patterns; and minor typographical and content fixes across a limited number of patterns.

Comments are welcome on the CAPEC Researcher email discussion list. Future updates will be noted here and on the CAPEC Researcher list.

MITRE to Host CAPEC/Making Security Measurable Booth at InfoSec World 2012, April 2-4

MITRE will host a CAPEC/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees will learn how information security data standards such as CAPEC, CybOX, MAEC, CEE, CWE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CAPEC Team will be in attendance. Please stop by Booth 513 and say hello!

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/CWE/MAEC Briefings at DHS/DoD/NIST SwA Forum, March 26-30

CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present briefings about CAPEC and CybOX, CWE/CAPEC/CybOX Program Manager Robert A. Martin will present a briefing about CWE, and MAEC Program Manager Penny Chase and MAEC Architect Ivan Kirillov will present a briefing about MAEC at the DHS/DoD/NIST SwA Forum on March 26–30, 2012 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

Photos from CAPEC/Making Security Measurable Booth at RSA 2012

MITRE hosted a CAPEC/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees learned how information security data standards such as CAPEC, CybOX, MAEC, CWE, CWSS, CEE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Making Security Measurable booth photos:

CAPEC Compatibility Section Added to CAPEC Web Site

A CAPEC Compatibility section has been added to the CAPEC Web site. CAPEC Compatibility provides for a product or service to be reviewed and registered as officially "CAPEC-Compatible," thereby assisting organizations in their selection and evaluation of tools and/or services for assessing their acquired software against known types of patterns of attack, for learning about the various attack patterns and their possible impact, or to obtain training and education about these issues.

The new section includes a description of the program, a list of the specific compatibility requirements, and instructions for how to make a declaration.

CAPEC/Making Security Measurable Booth at RSA 2012, February 27 – March 2

MITRE will host a CAPEC/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees will learn how information security data standards such as CAPEC, CybOX, MAEC, CWE, CWSS, CEE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CAPEC Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CAPEC Calendar for information on this and other events.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012

MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE’s scheduled participation at these events are noted on the CAPEC Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events may be added throughout the year. Visit the CAPEC Calendar for information or contact capec@mitre.org to have MITRE present a briefing or participate in a panel discussion about CAPEC, CybOX, CWE, MAEC, CVE, CCE, CPE, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event.

CAPEC/CWE/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting

CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE, and MAEC Program Manager Penny Chase presented a briefing about MAEC, to the DHS/DoD SwA Working Group Meeting Session on November 28 – December 2, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting, November 28 – December 2

CAPEC/CWE Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE, and MAEC Program Manager Penny Chase will present a briefing about MAEC, to the DHS/DoD SwA Working Group Meeting Session on November 28 – December 2, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CybOX/MAEC Briefings at Open Group Security Workshop

CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC and Cyber Observable Expression (CybOX) and MAEC Architect Ivan Kirillov presented a briefing about Malware Attribute Enumeration and Characterization (MAEC) at Open Group Security Workshop on November 16, 2011 in Washington, D.C., USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC/CWE/SwA Briefing at U.S Coast Guard Operations Systems Center

CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC/CWE/SwA at the Operations Systems Center of the U.S. Coast Guard on November 15, 2011 in Kearneysville, West Virginia, USA.

Visit the CAPEC Calendar for information on this and other events.

CWE/SANS Top 25 Briefing at Massachusetts Institute of Technology

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about the CWE/SANS Top 25 Most Dangerous Software Errors List as part of MIT’s "Architecting Software Systems - Applied Cyber/Physical Security Speaker" series at the Massachusetts Institute of Technology (MIT) on November 15, 2011 in Cambridge, Massachusetts, USA.

Visit the CAPEC Calendar for information on this and other events.

CAPEC Briefing and Open Architecture Panel Discussion at Defense Daily Open Architecture Summit 2011

CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC and participated on discussion panel entitled "DHS Enterprise and Open Architecture" at Defense Daily Open Architecture Summit 2011 on November 9, 2011 in Washington, D.C., USA.

Visit the CAPEC Calendar for information on this and other events.