From a pragmatic point of view the only time where weakness makes sense is when you speak of crypto to describe a flaw that is not a break.
In this case the term weakness have a precise meaning:
A crypto algorithm have a weakness if and only if it exists an attack which allows an attacker to recover the key (or plain text) in less operations than what was intended while designing the system.
For example: Oracle padding attacks, WEP key, SSH on Debian with a weak random generator etc ...
Note that the weakness might be theoric as it is not computationally feasible. For example the latest AES one (the biclique attack: http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf)
Elie
http://elie.im | twitter:@elie (http://twitter.com/elie)
--
Elie
http://elie.im | twitter:@elie (http://twitter.com/elie)
On Sunday, November 6, 2011 at 8:01 PM, websecurity-request@lists.webappsec.org (mailto:websecurity-request@lists.webappsec.org) wrote:
Send websecurity mailing list submissions to
websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org (mailto:websecurity-request@lists.webappsec.org)
You can reach the person managing the list at
websecurity-owner@lists.webappsec.org (mailto:websecurity-owner@lists.webappsec.org)
When replying, please edit your Subject line so it is more specific
than "Re: Contents of websecurity digest..."
Today's Topics:
Message: 1
Date: Sun, 6 Nov 2011 17:31:59 -0600
From: "Celestain Fonge" <cfonge@zazotechnologies.com (mailto:cfonge@zazotechnologies.com)>
To: "'matthew chao'" <mathewchao@gmail.com (mailto:mathewchao@gmail.com)>
Cc: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
Subject: Re: [WEB SECURITY] What's the differences between weakness
and vulnerability?
Message-ID: <00d201cc9cdc$48a6a240$d9f3e6c0$@zazotechnologies.com (http://zazotechnologies.com)>
Content-Type: text/plain; charset="us-ascii"
Per http://en.wikipedia.org/wiki/Vulnerability_(computing)
In computer security, a vulnerability is a weakness which allows an attacker
to reduce a system's information assurance.
Regards,
Celestain.
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org (mailto:websecurity-bounces@lists.webappsec.org)
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of matthew chao
Sent: Sunday, November 06, 2011 2:35 AM
To: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
Subject: [WEB SECURITY] What's the differences between weakness and
vulnerability?
WASC's definition of "weakness": "The underlying vulnerability within the
application that is exploited." It seem weakness is equal to vulnerability,
and WASC's Glossary
(http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20
Glossary) doesn't include the terms.
However, according to "http://cwe.mitre.org/about/faq.html#A.1",
"Software weaknesses are errors that can lead to software vulnerabilities.
A software vulnerability is a mistake in software that can be directly
used by a hacker to gain access to a system or network.", so they are
different concepts.
The situation is confused. so what's the differences between weakness and
vulnerability? thanks!
-Matt
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Message: 2
Date: Sun, 6 Nov 2011 16:37:47 -0800
From: Michal Zalewski <lcamtuf@coredump.cx (mailto:lcamtuf@coredump.cx)>
To: Celestain Fonge <cfonge@zazotechnologies.com (mailto:cfonge@zazotechnologies.com)>
Cc: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
Subject: Re: [WEB SECURITY] What's the differences between weakness
and vulnerability?
Message-ID:
<CALx_OUBpmJQ=SDFfL=Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g@mail.gmail.com (mailto:Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g@mail.gmail.com)>
Content-Type: text/plain; charset=ISO-8859-1
Per ?http://en.wikipedia.org/wiki/Vulnerability_(computing)
That article is hilarious!
/mz
websecurity mailing list
websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org)
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
End of websecurity Digest, Vol 11, Issue 5
Hi,
Security does suffer from inconsistent taxonomy however that
inconsistency lies across methods and not within a method. I know
OSSTMM, also being a complicated piece of work, does occasionally have
a similar problem due to old versions of definitions from a previous
method clashing with the updated version. I'm sure this here is no
different.
What's important is that vulnerabilities, weaknesses, concerns, and
other such words within a subject have a factual basis rather than
come from an ideology. So if we want to say "weakness" we can do so by
framing the method from where it comes. And that word has a definite
function within that method. For example, if I said I was "depressed",
that word unframed takes the colloquial meaning of "sad". However if
it was framed as I was "diagnosed as clinically" depressed then it
takes a whole new meaning within a method where depression describes a
function of associated operations (symptoms). Just like if Godzilla
talked to other monsters about being depressed after having depressed
a large number of people, they would know he speaks of the method of
stepping upon them until they submerge in the ground, which is a
specific operation within the function of being a rather large-sized
monster.
I deliberately made that stupid last sentence to make a point, that
any method can and should use a specific term only if that term has a
clear function or operation within a function regardless of the
industry or science. Being a nascent industry, taxonomy in network and
application security is borrowed from other industries and people
argue over that taxonomy as if other industries, like psychology,
haven't already encountered this issue before. And the more you
research and invent within this industry the more problems you're
going to have finding the right words to mean what you want to say.
The OSSTMM 3 is a huge example of that. So what's important is to
always frame your vocabulary as you speak and be forgiving of how
others use their vocabulary because in network and application
security, we're all non-native speakers.
That said, pragmatically, any control can be weak (or have a weakness)
if it does what it's supposed to do but does so poorly. Someone
mentioned "only" encryption. But I think authentication with a poor
password is also weak. Or indemnification with no teeth. Or integrity
verifying the wrong changes. Or alarm with a slow response. Etc.
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org