MITRE’s mission is to make it easier to secure American infrastructure, which they accomplish mostly through the release of excellent dictionary and metrics projects.
It’s hard to keep current with all of them, so I’ve created a list consisting of just the linked name and a one-line description of the project.
- CVE: Common Vulnerability Exposure
a dictionary of public vulnerabilities (specific issues with specific products)
- CWE: Common Weakness Enumeration
a unified set of weaknesses (general security problems that could affect any product)
- CWSS: Common Weakness Scoring System
a system for rating and prioritizing weaknesses
- CAPEC: Common Attack Pattern Enumeration and Classification
a taxonomy of known attacks
- OVAL: Open Vulnerability and Assessment Language
a standard for performing security assessment and reporting
- CWRAF: Common Weakness Risk Analysis Framework
similar to CWSS, but takes business context into account a dictionary and classification taxonomy of known attacks
- CybOX: Cyber Observable Expression
a standardized schema for the specification, capture, and communication of security events
- MAEC: Malware Attribute Enumeration and Characterization
a standard language for malware behaviors, artifacts, and attack patterns
- STIX: Structured Threat Information Expression
a standardized threat information language (uses TAXII to share this information)
- TAXII: Trusted Automated Exchange of Indicator Information
a standardized message exchange format for communicating threat information (uses STIX as the threat information language)
- SCAP: Security Content Automation Protocol
“a synthesis of interoperable specifications derived from community ideas” (no idea what that means)
- XCCDF: Extensible Configuration Checklist Description Format
a language for writing security checklists, benchmarks, and related documents
- The MITRE website.
- MITRE is not an actual government organization, but a not-for-profit sponsored by the federal government.