CAPEC: Common Attack Pattern Enumeration and Classification (https://capec.mitre.org/)
We have a few rules with CAPEC tags and links to CAPEC descriptions in their comments. But so far this, has not been done in a consistent way. A systematic approach is necessary. It would also be the base for consistent attack statistics.
Part of the task is a discussion if we want to abandon the incomplete OWASP tags - or not.
This topics has been discussed in #924 and in a chat as well.
Copying over the summary of the discussion:
We talked about this for a great length during the chat. Here are the important bits:
What is CAPEC and what is the relationship to CWE?
https://cwe.mitre.org/about/faq.html#A.7 has the following to say: "While CWE is a list of software weakness types, Common Attack Pattern Enumeration and Classification (CAPECâ„¢) is a list of the most common methods attackers use to exploit vulnerabilities resulting from CWEs. Used together, CWE and CAPEC provide understanding and guidance to software development personnel of all levels as to where and how their software is likely to be attacked, thereby equipping them with the information they need to help them build more secure software."
It is thus that CAPEC is more attack oriented and thus closer to our rules and their categories.
We shall also go through and note the changes to OWASP top 10 tags
Will try to get this done, based on what we discussed in the summit.
That would be huge, Felipe!
Yesterday I had a meeting with one potential student. He will begin playing with msc_pyparser to get a document with all tags per rule.
Officially he may start by the end of November. We'll see.
This sounds very good. Is there anything we should do to make this work?
Also: Would this be a moment, where we get in touch with any OWASP projects that might profit from this / might be interested in our data? (First task: Find out which OWASP project might qualify).
Most helpful comment
Yesterday I had a meeting with one potential student. He will begin playing with
msc_pyparserto get a document with all tags per rule.Officially he may start by the end of November. We'll see.