New to CAPEC? Start Here
Home > News  

News & Events

Right-click and copy a URL to share an article. Please contact us with any feedback about this page.

Join Us for the “CAPEC Program User Summit” on February 23!

January 13, 2022 | Share this article

Please join the CAPEC team for our first-ever virtual “CAPEC Program User Summit” on Wednesday, February 23, 2022 from 10:30 am to 4:30 pm EST.

Program improvements, education and awareness, and modernization will be the focus areas for this event. Attendees will have the opportunity to participate in subsequent discussions around the following topics and more:

  • Assessing CAPEC offerings
  • User perceptions
  • Mitigating supply chain attacks with CAPEC
  • Using CAPEC’s execution flows (steps to perform an attack) as a playbook for pen testing
  • The CAPEC Program’s vision for the future of the program
  • Other topics suggested by attendees

A complete agenda and additional details will be available soon.

Register for the event here.

CAPEC/CWE Blog: “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques”

January 13, 2022 | Share this article

The CAPEC/CWE Team’s “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” blog article provides a primer on the often conflated HTTP (response/request) (splitting/smuggling) attack techniques as well as information about which CAPEC entries may help further distinguish between the two.

Read the complete article on the CAPEC/CWE Blog on Medium.

CAPEC/CWE Communications Survey

January 6, 2022 | Share this article

The CAPEC/CWE Program requests your feedback on our communications efforts. We would like to learn what you think about the topics being covered on our CAPEC/CWE Blog and Out-of-Bounds Read podcast, as well as anything else that you want to see or learn more about?

Please respond to our “CAPEC/CWE Communications Survey” and share your thoughts today!

CAPEC/CWE Podcast: “CWE and Hardware Security”

November 7, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our fifth episode, “CWE and Hardware Security,” hardware experts discuss hardware CWEs and the “2021 CWE™ Most Important Hardware Weaknesses List,” including how the list will help the community, their favorite entries and surprising items on the list, and stories around hardware weaknesses. CAPEC is also a discussion topic.

Interviewees include Jason Fung, Director of Offensive Security Research and Academic Research Engagement at Intel; Jason Oberg, Cofounder and Chief Technology Officer at Tortuga Logic; Paul Wortman, Cybersecurity Research Scientist at Wells Fargo; Jasper von Woudenberg, CTO of Riscure North America and co-author of the “Hardware Hacking Handbook”; and Nicole Fern, Senior Security Analyst at Riscure.

Out of Bounds Read podcast episode 5 - CWE and Hardware

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you!

CAPEC/CWE Blog: “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money”

November 2, 2021 | Share this article

The CAPEC/CWE Team’s “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” blog article discusses the importance of making sure you know the limits of the problem you are trying to solve and of testing up to those limits.

Read the complete article on the CAPEC/CWE Blog on Medium.

CAPEC List Version 3.6 Now Available

October 21, 2021 | Share this article

CAPEC Version 3.6 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.5 and Version 3.6.

Version 3.6 includes:

The schema was updated to add the Extended_Description property.

Summary

There are now 546 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
6
  • Existing Attack Patterns Updated:
70
  • Attack Patterns Deprecated:
1
  • Existing Categories Updated:
0
  • Existing Categories Deprecated:
0
  • New Views Added:
0
  • Existing Views Updated:
0
  • CAPEC-to-CWE Mappings Added:
34
  • CAPEC-to-CWE Mappings Removed:
42
  • CAPEC-to-CAPEC Mappings Added:
46
  • CAPEC-to-CAPEC Mappings Removed:
1

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.5_v3.6.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

CAPEC Also Discussed in “The CWE 15th Anniversary Special” Podcast

October 21, 2021 | Share this article

The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

CAPEC is a main discussion topic in “The CWE 15th Anniversary Special” podcast episode, a special cybersecurity awareness month podcast where the 15-year history and future of the CWE/CAPEC program are discussed with those who made significant contributions to both CAPEC and CWE: Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE; Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis; Chris Eng, Chief Research Officer at Veracode; Chris Levendis, CWE/CAPEC Program Leader at MITRE; and Drew Buttner, Software Assurance Capability Area Lead at MITRE.

Out of Bounds Read podcast episode 4 - The CWE 15th Anniversary Special

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you!

CAPEC/CWE Blog: “The Most Important CWEs and CAPECs to Pay Attention to When Building Software”

October 7, 2021 | Share this article

The CAPEC/CWE Team’s “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” blog article includes 5 checks for your development process.

Read the complete article on the CAPEC/CWE Blog on Medium.

CAPEC/CWE Podcast: “What is CAPEC, Why is It important, and How Can it Help Me?”

September 1, 2021 | Share this article

The CAPEC/CWE Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware.

In our “What is CAPEC, Why is It important, and How Can it Help Me?” episode, Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) is and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future.

Out of Bounds Read podcast episode 2 - What is CAPEC, Why is It important, and How Can it Help Me?

The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms.

Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you!

Riskaware Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

July 9, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Riskaware – CyberAware Predict uses CAPEC to determine potential adversary techniques from scanned vulnerabilities and detected exploits.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

CAPEC List Version 3.5 Now Available

June 24, 2021 | Share this article

CAPEC Version 3.5 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.4 and Version 3.5.

Version 3.5 includes:

There were no schema updates.

Summary

There are now 541 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
14
  • Existing Attack Patterns Updated:
127
  • Attack Patterns Deprecated:
0
  • Existing Categories Updated:
0
  • Existing Categories Deprecated:
0
  • New Views Added:
0
  • Existing Views Updated:
0
  • CAPEC-to-CWE Mappings Added:
46
  • CAPEC-to-CWE Mappings Removed:
69
  • CAPEC-to-CAPEC Mappings Added:
46
  • CAPEC-to-CAPEC Mappings Removed:
2

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.4_v3.5.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Rapid7 Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

May 6, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Rapid7 – InsightAppSec leverages CAPEC to provide detailed references to its findings.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

Virsec Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

March 10, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

Virsec – Virsec Web Attack Simulator fuzzes application URLs based on CAPEC attack patterns.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

AttackForge Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

February 25, 2021 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

AttackForge – includes a pre-populated CAPEC library to help manage pen testing.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

CAPEC List Version 3.4 Now Available

December 17, 2020 | Share this article

CAPEC Version 3.4 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.3 and Version 3.4.

Version 3.4 includes:

The CAPEC Schema was updated from v3.3 to v3.4 to replace “WASCv2” with “WASC” in TaxonomyNameEnumeration, and add "OWASP Attacks" to TaxonomyNameEnumeration.

Summary

There are now 527 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
4
  • Existing Attack Patterns Updated:
181
  • Attack Patterns Deprecated:
1
  • Existing Categories Updated:
1
  • Existing Categories Deprecated:
34
  • New Views Added:
2
  • Existing Views Updated:
1
  • CAPEC-to-CWE Mappings Added:
43
  • CAPEC-to-CWE Mappings Removed:
3
  • CAPEC-to-CAPEC Mappings Added:
35
  • CAPEC-to-CAPEC Mappings Removed:
112

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.3_v3.4.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

pytm Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

August 25, 2020 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

pytm – uses CAPEC in its threat library.

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

CAPEC List Version 3.3 Now Available

July 30, 2020 | Share this article

CAPEC Version 3.3 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.2 and Version 3.3.

Version 3.3 includes the addition of seven new attack patterns: CAPEC-508: Shoulder Surfing, CAPEC-565: Password Spraying, CAPEC-655: Avoid Security Tool Identification by Adding Data, and as part of reorganization of the CAPEC-560 subtree, CAPEC-600: Credential Stuffing, CAPEC-652: Use of Known Kerberos Credentials, CAPEC-653: Use of Known Windows Credentials, and CAPEC-654: Credential Prompt Impersonation. In addition, 152 CAPEC-to-CWE (Common Weakness Enumeration) mappings were added, and 245 patterns and 4 categories were updated.

CWE versions 4.0 and 4.1 added 72 Hardware CWEs, 49 of which were mapped to CAPEC Entries in CAPEC Version 3.3. Some CAPEC Entries were enhanced to fully understand the mapping. One new software CWE was also mapped. These mappings help inform a tighter integration between CWE and CAPEC.

The CAPEC Schema was updated from v3.2 to v3.3 to change AttackPatternType/Description, AudienceType/Description, IndicatorsType/Indicator, and PrerequisitesType/Prerequisite to StructuredTextType.

Summary

There are now 524 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
7
  • Existing Attack Patterns Updated:
245
  • Attack Patterns Deprecated:
0
  • Existing Categories Updated:
4
  • CAPEC-to-CWE Mappings Added:
152
  • CAPEC-to-CWE Mappings Removed:
12

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.2_v3.3.html.

Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

VERDICT Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC

July 30, 2020 | Share this article

The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available).

One new organization added:

VERDICT – uses CAPEC to generate fault and attack/defense trees for analyzing safety and security of architectural models and mission scenarios

To view the complete listing, visit the CAPEC Organization Usage page.

We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you!

New CWE/CAPEC Board Includes Representatives from IT and Cybersecurity Communities

July 20, 2020 | Share this article

CAPEC has established a new CWE/CAPEC Board comprised of representatives from commercial hardware and software vendors, academia, government departments and agencies, and other prominent security experts that will set and promote the goals and objectives of the Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™) Program.

Members of the CWE/CAPEC Board will work with each other and the community to advise and advocate for the CWE/CAPEC Program. Through open and collaborative discussions, board members will provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. All Board Meetings and Board Email List Discussions will be archived for the community.

The newly established Board includes representatives from the following organizations: Cloud Security Alliance, Consortium for IT Software Quality (CISQ), Cybersecurity and Infrastructure Security Agency (CISA), GrammaTech, Intel, Micro Focus, MITRE (CWE/CAPEC Board Moderator), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), SANS, Synopsys, Tortuga Logic, Università degli Studi di Milano - Bicocca, and Veracode.

Visit the CWE/CAPEC Board page to learn more and/or to view the complete list of members.

More information is available — Please select a different filter.
Page Last Updated or Reviewed: January 13, 2022