capec

URL

Change Log

When What
May 1st, 2015 Donated by Raghundeep Kannavara

Reference

Studies who have been using the data (in any form) are required to include the following reference:

@INPROCEEDINGS{6983805,
author={Kannavara, R.},
booktitle={Software Reliability Engineering Workshops (ISSREW), 2014 IEEE International Symposium on},
title={Assessing the Threat Landscape for Software Libraries},
year={2014},
month={Nov},
pages={71-76},
keywords={programming languages;security of data;software libraries;SDL;computer programming language;mitigation strategy;security development lifecycle;security vulnerability;software library;threat landscape;Joining processes;Licenses;Operating systems;Security;Software libraries;Security Development Lifecycle;Software Libraries;Software Security;Threat Model;Vulnerability Assessment},
doi={10.1109/ISSREW.2014.58},}

About the Data

Overview of Data

Common Attack Pattern Enumeration and Classification (CAPEC) effort is a publicly available, community-developed list of common attack patterns along with a comprehensive schema and classification taxonomy. Each attack pattern captures knowledge about how specific parts of an attack are designed and executed, providing the attacker’s perspective on the problem and the solution, and gives guidance on ways to mitigate the attack’s effectiveness. The author looked at 453 documented attack patterns and enumerated the associated severity, likelihood of exploit and attacker skill required as documented by CAPEC, eventually identifying 27 attack patterns.

Paper Abstract

Libraries are a collection of implementations of behavior written in a computer programming language providing a well-defined interface by which the behavior can be invoked. Although a majority of the code in numerous applications comes from libraries, the risk of security vulnerabilities that comes with these libraries is often overlooked. In this regard, we seek to assess the threat landscape associated with software libraries and discuss mitigation strategies via Security Development Lifecycle (SDL).