Home > News  

News & Events

Right-click and copy a URL to share an article. Send feedback about this page to capec@mitre.org.

CAPEC List Version 2.9 Now Available

January 10, 2017 | Share this article

CAPEC Version 2.9 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 2.8 and Version 2.9.

Major changes for Version 2.9 include adding five new attack patterns: CAPEC-594: Traffic Injection, CAPEC-595: Connection Reset, CAPEC-596: TCP RST Injection, CAPEC-597: Absolute Path Traversal, and CAPEC-598: DNS Spoofing. Also, the Mechanisms of Attack view was cleaned-up by removing categories that were not mechanisms (but rather more like goals), removing circular relationships, and verifying consistency in the meta->standard->detailed relationship structure. In all, 78 patterns and categories were modified, and 13 patterns and categories were deprecated. There were no schema updates.

There are now 503 total attack patterns listed.

Changes for the new version release include the following:

  • New Attack Patterns Added:
5
  • Existing Attack Patterns Updated:
67
  • Attack Patterns Deprecated:
6
  • Existing Categories Updated:
15
  • Categories Deprecated:
7
  • CAPEC-to-CWE Mapping Added:
3
  • CAPEC-to-CWE Mapping Removed:
3

See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v2.8_v2.9.html.

Comments are welcome on the CAPEC Research Email Discussion List. Future updates will be noted here and on the CAPEC Research list.

CAPEC Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CAPEC List Page

January 09, 2017 | Share this article

We have updated the CAPEC website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CAPEC List page has also been streamlined for ease-of-use into four main sections:

Navigate CAPEC – Offers two hierarchical representations, Mechanisms of Attack and Domains of Attack, to help you navigate the entire list according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on a specific criteria and hope to provide insight for a certain domain or use case, such as a Comprehensive CAPEC Dictionary, Mobile Device Patterns, etc.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.

Please send any comments or concerns to capec@mitre.org.

CAPEC is part of the OWASP Cornucopia gamification

June 3, 2016 | Share this article

CAPEC is part of the Open Web Application Security Project (OWASP) Cornucopia gamification card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic and through the CAPEC mappings to the Cornucopia "attack suits" the Cornucopia card game links the attacks with requirements and verification techniques. With each card mapped to CAPEC software attack pattern IDs, which themselves are mapped to CWEs, the game also covers the CWE weakness IDs targeted. Each card is also mapped to the 36 primary security stories in the SAFECode "Security Stories and Security Tasks for Agile Development Environments", as well as to the OWASP SCP v2, ASVS v2 2014 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes. The first card deck is an "Ecommerce Website Edition" with other decks, like mobile apps in the works.

CAPEC part of ISACA's Cybersecurity Fundamentals Glossary

January 2016 | Share this article

CAPEC is part of Information Systems Audit and Control Association's (ISACA's) Cybersecurity Fundamentals Glossary, provided as part of their Cybersecurity Nexus (CSX) offerings for cybersecurity professionals. CSX provides knowledge, tools, training and credentials for cybersecurity professionals. Additional information on CSX is available at https://cybersecurity.isaca.org.


More information is available — Please select a different filter.
Page Last Updated or Reviewed: January 10, 2017