A MITRE Quick Reference
MITRE’s mission is to make it easier to secure American infrastructure, which they accomplish mostly through the release of excellent dictionary and metrics projects.
It’s hard to keep current with all of them, so I’ve created a list consisting of just the linked name and a one-line description of the project.
CVE: Common Vulnerability Exposure > a dictionary of public vulnerabilities (specific issues with specific products)
CWE: Common Weakness Enumeration > a unified set of weaknesses (general security problems that could affect any product)
CWSS: Common Weakness Scoring System > a system for rating and prioritizing weaknesses
CAPEC: Common Attack Pattern Enumeration and Classification > a taxonomy of known attacks
OVAL: Open Vulnerability and Assessment Language > a standard for performing security assessment and reporting
CWRAF: Common Weakness Risk Analysis Framework > similar to CWSS, but takes business context into account a dictionary and classification taxonomy of known attacks
CybOX: Cyber Observable Expression > a standardized schema for the specification, capture, and communication of security events
MAEC: Malware Attribute Enumeration and Characterization > a standard language for malware behaviors, artifacts, and attack patterns
STIX: Structured Threat Information Expression > a standardized threat information language (uses TAXII to share this information)
TAXII: Trusted Automated Exchange of Indicator Information > a standardized message exchange format for communicating threat information (uses STIX as the threat information language)
SCAP: Security Content Automation Protocol > "a synthesis of interoperable specifications derived from community ideas" (no idea what that means)
XCCDF: Extensible Configuration Checklist Description Format > a language for writing security checklists, benchmarks, and related documents
Notes
The MITRE > website.
MITRE is not an actual government organization, but a not-for-profit sponsored by the federal government.