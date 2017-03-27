IBM X-Force Threat Research adopted the CAPEC standard for attack categorization because it was developed using methodologies similar to those used in other well-established naming conventions for security terms, such as Common Vulnerabilities and Exposure (CVE). Many IT security professionals are already aware of the CVE dictionary of common names for publicly known cybersecurity vulnerabilities.

Prior to CVE, the security tools that existed used their own names for vulnerabilities and it was relatively difficult to determine whether varying tools were referring to the same problem. The CVE database, also maintained by MITRE, was launched in 1999 to bring a consistent approach to naming security vulnerabilities and exposures. This effort was successful — CVE is now the industry standard for vulnerability and exposure names.

As of March 20, 2017, the IBM X-Force Vulnerability Database reported 110,503 vulnerabilities, 83,087 of which were associated with a CVE. When using a vulnerability scanning service or tool where a vulnerability is identified, it helps the user to know the associated CVE identifier. The CVE ID documentation provides a short description about the vulnerability and a list of references that offer more details on how to mitigate the specified vulnerability.

Another popular naming standard in the developer and security practitioner communities is the Common Weakness Enumeration (CWE) project, a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and a baseline standard for weakness identification, mitigation and prevention efforts. As of CWE version 2.10, there are a total of 1,005 CWEs.