Home > News > News & Events - 2020 Archive  

News & Events

2020 Archive

CAPEC List Version 3.4 Now Available

December 17, 2020 | Share this article

CAPEC Version 3.4 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.3 and Version 3.4.

Version 3.4 includes:

The CAPEC Schema was updated from v3.3 to v3.4 to replace “WASCv2” with “WASC” in TaxonomyNameEnumeration, and add "OWASP Attacks" to TaxonomyNameEnumeration.

Summary

There are now 527 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
4
  • Existing Attack Patterns Updated:
181
  • Attack Patterns Deprecated:
1
  • Existing Categories Updated:
1
  • Existing Categories Deprecated:
34
  • New Views Added:
2
  • Existing Views Updated:
1
  • CAPEC-to-CWE Mappings Added:
43
  • CAPEC-to-CWE Mappings Removed:
3
  • CAPEC-to-CAPEC Mappings Added:
35
  • CAPEC-to-CAPEC Mappings Removed:
112

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.3_v3.4.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

pytm Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

August 25, 2020 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

pytm – uses CAPEC in its threat library.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

CAPEC List Version 3.3 Now Available

July 30, 2020 | Share this article

CAPEC Version 3.3 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.2 and Version 3.3.

Version 3.3 includes the addition of seven new attack patterns: CAPEC-508: Shoulder Surfing, CAPEC-565: Password Spraying, CAPEC-655: Avoid Security Tool Identification by Adding Data, and as part of reorganization of the CAPEC-560 subtree, CAPEC-600: Credential Stuffing, CAPEC-652: Use of Known Kerberos Credentials, CAPEC-653: Use of Known Windows Credentials, and CAPEC-654: Credential Prompt Impersonation. In addition, 152 CAPEC-to-CWE (Common Weakness Enumeration) mappings were added, and 245 patterns and 4 categories were updated.

CWE versions 4.0 and 4.1 added 72 Hardware CWEs, 49 of which were mapped to CAPEC Entries in CAPEC Version 3.3. Some CAPEC Entries were enhanced to fully understand the mapping. One new software CWE was also mapped. These mappings help inform a tighter integration between CWE and CAPEC.

The CAPEC Schema was updated from v3.2 to v3.3 to change AttackPatternType/Description, AudienceType/Description, IndicatorsType/Indicator, and PrerequisitesType/Prerequisite to StructuredTextType.

Summary

There are now 524 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
7
  • Existing Attack Patterns Updated:
245
  • Attack Patterns Deprecated:
0
  • Existing Categories Updated:
4
  • CAPEC-to-CWE Mappings Added:
152
  • CAPEC-to-CWE Mappings Removed:
12

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.2_v3.3.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

VERDICT Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

July 30, 2020 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

VERDICT – uses CAPEC to generate fault and attack/defense trees for analyzing safety and security of architectural models and mission scenarios

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

New CWE/CAPEC Board Includes Representatives from IT and Cybersecurity Communities

July 20, 2020 | Share this article

CAPEC has established a new CWE/CAPEC Board comprised of representatives from commercial hardware and software vendors, academia, government departments and agencies, and other prominent security experts that will set and promote the goals and objectives of the Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™) Program.

Members of the CWE/CAPEC Board will work with each other and the community to advise and advocate for the CWE/CAPEC Program. Through open and collaborative discussions, board members will provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. All Board Meetings and Board Email List Discussions will be archived for the community.

The newly established Board includes representatives from the following organizations: Cloud Security Alliance, Consortium for IT Software Quality (CISQ), Cybersecurity and Infrastructure Security Agency (CISA), GrammaTech, Intel, Micro Focus, MITRE (CWE/CAPEC Board Moderator), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), SANS, Synopsys, Tortuga Logic, Università degli Studi di Milano - Bicocca, and Veracode.

Visit the CWE/CAPEC Board page to learn more and/or to view the complete list of members.

More information is available — Please select a different filter.
Page Last Updated or Reviewed: February 25, 2021