Riskaware – CyberAware Predict uses CAPEC to determine potential adversary techniques from scanned vulnerabilities and detected exploits.
News & Events2021 ArchiveCAPEC/CWE Podcast: “CWE and Hardware Security” November 7, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our fifth episode, “CWE and Hardware Security,” hardware experts discuss hardware CWEs and the “2021 CWE™ Most Important Hardware Weaknesses List,” including how the list will help the community, their favorite entries and surprising items on the list, and stories around hardware weaknesses. CAPEC is also a discussion topic. Interviewees include Jason Fung, Director of Offensive Security Research and Academic Research Engagement at Intel; Jason Oberg, Cofounder and Chief Technology Officer at Tortuga Logic; Paul Wortman, Cybersecurity Research Scientist at Wells Fargo; Jasper von Woudenberg, CTO of Riscure North America and co-author of the “Hardware Hacking Handbook”; and Nicole Fern, Senior Security Analyst at Riscure. 
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org or capec@.mitre.org. We look forward to hearing from you! CAPEC/CWE Blog: “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” November 2, 2021 | Share this article The CAPEC/CWE Team’s “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” blog article discusses the importance of making sure you know the limits of the problem you are trying to solve and of testing up to those limits. Read the complete article on the CAPEC/CWE Blog on Medium. CAPEC List Version 3.6 Now Available October 21, 2021 | Share this article CAPEC Version 3.6 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.5 and Version 3.6. Version 3.6 includes:
The schema was updated to add the Extended_Description property. Summary There are now 546 total attack patterns listed. Changes for the new version release include the following:
See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.5_v3.6.html. Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. CAPEC Also Discussed in “The CWE 15th Anniversary Special” Podcast October 21, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. CAPEC is a main discussion topic in “The CWE 15th Anniversary Special” podcast episode, a special cybersecurity awareness month podcast where the 15-year history and future of the CWE/CAPEC program are discussed with those who made significant contributions to both CAPEC and CWE: Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE; Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis; Chris Eng, Chief Research Officer at Veracode; Chris Levendis, CWE/CAPEC Program Leader at MITRE; and Drew Buttner, Software Assurance Capability Area Lead at MITRE.
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you! CAPEC/CWE Blog: “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” October 7, 2021 | Share this article The CAPEC/CWE Team’s “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” blog article includes 5 checks for your development process. Read the complete article on the CAPEC/CWE Blog on Medium. CAPEC/CWE Podcast: “What is CAPEC, Why is It important, and How Can it Help Me?” September 1, 2021 | Share this article The CAPEC/CWE Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our “What is CAPEC, Why is It important, and How Can it Help Me?” episode, Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) is and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future.
The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org. We look forward to hearing from you! Riskaware Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC July 9, 2021 | Share this article The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available). One new organization added: To view the complete listing, visit the CAPEC Organization Usage page. We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you! CAPEC List Version 3.5 Now Available June 24, 2021 | Share this article CAPEC Version 3.5 has been posted on the CAPEC List page. A detailed report is available that lists specific changes between Version 3.4 and Version 3.5. Version 3.5 includes:
There were no schema updates. Summary There are now 541 total attack patterns listed. Changes for the new version release include the following:
See the complete list of changes at https://capec.mitre.org/data/reports/diff_reports/v3.4_v3.5.html. Future updates will be noted here, on the CAPEC Research email discussion list, CAPEC page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Rapid7 Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC May 6, 2021 | Share this article The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available). One new organization added: Rapid7 – InsightAppSec leverages CAPEC to provide detailed references to its findings.
To view the complete listing, visit the CAPEC Organization Usage page. We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you! Virsec Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC March 10, 2021 | Share this article The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available). One new organization added: Virsec – Virsec Web Attack Simulator fuzzes application URLs based on CAPEC attack patterns.
To view the complete listing, visit the CAPEC Organization Usage page. We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you! AttackForge Added to “CAPEC Organization Usage” Page that Highlights How Vendors Are Using CAPEC February 25, 2021 | Share this article The “CAPEC Organization Usage” page highlights how organizations are actively using CAPEC in their products. Each listing includes the company name, a summary statement of use, brief description, and a screen shot (when available). One new organization added: AttackForge – includes a pre-populated CAPEC library to help manage pen testing.
To view the complete listing, visit the CAPEC Organization Usage page. We encourage any organization currently using CAPEC to contact us to be added to this page. We look forward to hearing from you! More information is available — Please select a different filter. |
