Session CS-1: The Common Attack Pattern Enumeration and Classification (CATEC) - CAG Control 7

March 23, 2010

10:15 AM - 11:15 AM

Prerequisite: None

By learning to think more like attackers, we gain a better understanding of how to defeat their methods. The Common Attack Pattern Enumeration and Classification (CAPEC) project is community-driven software security initiative similar to the CVE, OVAL, and CWE initiatives and is part of the Consensus Audit Guidelines - Control 7 - Application Security. This talk will serve as an overview of the CAPEC project, a call for public participation, as well as showcase the various use cases for CAPEC in software development, testing, architecture analysis, and network management.

 At the core of CAPEC is the concept of an "Attack Pattern," a powerful mechanism for capturing and codifying various approaches to cyber attack including the step-wise granular attack execution flow, the capability and motivation of the attacker, the context within which the attack is possible, the weaknesses being targeted by the attack, characterization of the typical impact of a successful attack, and recommended mitigations to prevent or decrease the impact of the attack.

Learning Objectives:

  • How to enable your threat assessment and incident reporting tools to talk together and help you become vendor agnostic
  • How standard ways of referring to attack patterns can open the door to leveraging free content
  • What attack patterns can mean to developers and testers