Vocabulary – Vulnerability

Introduction

Dictionary defines: vulnerability – open to attack, harm, or damage

CIS RAM defines: vulnerability – A weakness that could permit a threat to compromise the security of information assets.

Not simple.

ISO/IEC 27000 defines: vulnerability – weakness of an asset or control that can be exploited by one or more threats

Not simple

PCI DSS defines: vulnerability – Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

Not simple

CNSS defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.

Not simple and relies on specialized terms

O-TTPS defines: Vulnerability – A weakness in the design, implementation, or operation of an asset, artifact, system, or network that can be exploited.

Not simple and relies on specialized terms

CVE defines a vulnerability – A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

Not simple and relies on specialized terms

EAS defines: vulnerability – A weakness in system security procedures, design, implementation, internal controls, etc. that could be accidentally triggered or intentionally exploited and could result in a violation of the system’s security policy

Not simple and relies on specialized terms

ISACA defines: vulnerability – A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Not simple and relies on specialized terms

NIST 800-53 defines: vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Not simple and relies on specialized terms

OWASP describes: vulnerability – a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.

Not simple and relies on specialized terms

STIX defines: vulnerability – a mistake in software that can be directly used by a hacker to gain access to a system or network

Not simple and relies on specialized terms

FAIR defines: vulnerability – The probability that a threat event will become a loss event (which occurs when a threat agent acts against an asset)

Describes how to measure vulnerability rather than defining what it is.

SDL defines: threat – an attacker’s objective

This definition is related to definitions of vulnerability rather than threat, assuming the reader understand that “objective” refers to the vulnerability the attacker seeks to exploit.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s