>From a pragmatic point of view the only time where weakness makes sense is when you speak of crypto to describe a flaw that is not a break. In this case the term weakness have a precise meaning: A crypto algorithm have a weakness if and only if it exists an attack which allows an attacker to recover the key (or plain text) in less operations than what was intended while designing the system. For example: Oracle padding attacks, WEP key, SSH on Debian with a weak random generator etc ... Note that the weakness might be theoric as it is not computationally feasible. For example the latest AES one (the biclique attack: http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf) Elie http://elie.im | twitter:@elie (http://twitter.com/elie) -- Elie http://elie.im | twitter:@elie (http://twitter.com/elie) On Sunday, November 6, 2011 at 8:01 PM, websecurity-request@lists.webappsec.org (mailto:websecurity-request@lists.webappsec.org) wrote: > Send websecurity mailing list submissions to > websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > or, via email, send a message with subject or body 'help' to > websecurity-request@lists.webappsec.org (mailto:websecurity-request@lists.webappsec.org) > > You can reach the person managing the list at > websecurity-owner@lists.webappsec.org (mailto:websecurity-owner@lists.webappsec.org) > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of websecurity digest..." > > > Today's Topics: > > 1. Re: What's the differences between weakness and > vulnerability? (Celestain Fonge) > 2. Re: What's the differences between weakness and > vulnerability? (Michal Zalewski) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 6 Nov 2011 17:31:59 -0600 > From: "Celestain Fonge" <cfonge@zazotechnologies.com (mailto:cfonge@zazotechnologies.com)> > To: "'matthew chao'" <mathewchao@gmail.com (mailto:mathewchao@gmail.com)> > Cc: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > Subject: Re: [WEB SECURITY] What's the differences between weakness > and vulnerability? > Message-ID: <00d201cc9cdc$48a6a240$d9f3e6c0$@zazotechnologies.com (http://zazotechnologies.com)> > Content-Type: text/plain; charset="us-ascii" > > Per http://en.wikipedia.org/wiki/Vulnerability_(computing) > > In computer security, a vulnerability is a weakness which allows an attacker > to reduce a system's information assurance. > > Regards, > Celestain. > > -----Original Message----- > From: websecurity-bounces@lists.webappsec.org (mailto:websecurity-bounces@lists.webappsec.org) > [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of matthew chao > Sent: Sunday, November 06, 2011 2:35 AM > To: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > Subject: [WEB SECURITY] What's the differences between weakness and > vulnerability? > > WASC's definition of "weakness": "The underlying vulnerability within the > application that is exploited." It seem weakness is equal to vulnerability, > and WASC's Glossary > (http://projects.webappsec.org/w/page/13246967/The%20Web%20Security%20 > Glossary) doesn't include the terms. > > However, according to "http://cwe.mitre.org/about/faq.html#A.1", > "Software weaknesses are errors that can lead to software vulnerabilities. > A software vulnerability is a mistake in software that can be directly > used by a hacker to gain access to a system or network.", so they are > different concepts. > > > The situation is confused. so what's the differences between weakness and > vulnerability? thanks! > > -Matt > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > ------------------------------ > > Message: 2 > Date: Sun, 6 Nov 2011 16:37:47 -0800 > From: Michal Zalewski <lcamtuf@coredump.cx (mailto:lcamtuf@coredump.cx)> > To: Celestain Fonge <cfonge@zazotechnologies.com (mailto:cfonge@zazotechnologies.com)> > Cc: websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > Subject: Re: [WEB SECURITY] What's the differences between weakness > and vulnerability? > Message-ID: > <CALx_OUBpmJQ=SDFfL=Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g@mail.gmail.com (mailto:Ma47LcBmfnNKQhCAatHg_uoG-_VyDM0g@mail.gmail.com)> > Content-Type: text/plain; charset=ISO-8859-1 > > > Per ?http://en.wikipedia.org/wiki/Vulnerability_(computing) > > That article is hilarious! > > /mz > > > > ------------------------------ > > _______________________________________________ > websecurity mailing list > websecurity@lists.webappsec.org (mailto:websecurity@lists.webappsec.org) > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > End of websecurity Digest, Vol 11, Issue 5 > ****************************************** > > >

Hi, Security does suffer from inconsistent taxonomy however that inconsistency lies across methods and not within a method. I know OSSTMM, also being a complicated piece of work, does occasionally have a similar problem due to old versions of definitions from a previous method clashing with the updated version. I'm sure this here is no different. What's important is that vulnerabilities, weaknesses, concerns, and other such words within a subject have a factual basis rather than come from an ideology. So if we want to say "weakness" we can do so by framing the method from where it comes. And that word has a definite function within that method. For example, if I said I was "depressed", that word unframed takes the colloquial meaning of "sad". However if it was framed as I was "diagnosed as clinically" _depressed_ then it takes a whole new meaning within a method where depression describes a function of associated operations (symptoms). Just like if Godzilla talked to other monsters about being depressed after having depressed a large number of people, they would know he speaks of the method of stepping upon them until they submerge in the ground, which is a specific operation within the function of being a rather large-sized monster. I deliberately made that stupid last sentence to make a point, that any method can and should use a specific term only if that term has a clear function or operation within a function regardless of the industry or science. Being a nascent industry, taxonomy in network and application security is borrowed from other industries and people argue over that taxonomy as if other industries, like psychology, haven't already encountered this issue before. And the more you research and invent within this industry the more problems you're going to have finding the right words to mean what you want to say. The OSSTMM 3 is a huge example of that. So what's important is to always frame your vocabulary as you speak and be forgiving of how others use their vocabulary because in network and application security, we're all non-native speakers. That said, pragmatically, any control can be weak (or have a weakness) if it does what it's supposed to do but does so poorly. Someone mentioned "only" encryption. But I think authentication with a poor password is also weak. Or indemnification with no teeth. Or integrity verifying the wrong changes. Or alarm with a slow response. Etc. Sincerely, -pete. -- Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org