CVE and CWE coverage on CompTIA Courses

Jump to latest Follow Reply
#2
@Trevor Chandler
CVEs (Common Vulnerabilities and Exposures) are directly addressed in CompTIA Security+ SY0-601 in Objective 1.7 Summarize the techniques used in security assessments.

CWE (Common Weakness Enumeration) is also addressed in CompTIA Pentest+ PT0-003 objective 4.1 Given a scenario, analyze output to prioritize and prepare attacks.
 
  • Like
Reactions: Joel M and Trevor Chandler
#3
Great question, Professor Chandler! CVEs are covered in Security+, CySA+, and CASP+/SecurityX. CWEs are not explicitly covered in CySA+, but I always include them in my presentation of CVEs and CVSS, being super careful to point out that they are not in the exam objectives. CWEs are essential when trying to match defensive strategy to your attack surface. Without CWEs, you must map many different CVEs to your defenses. Use CWEs instead. I still suggest mapping CVEs that are high profile, like those that appear on the Known Exploited Vulnerabilities (KEV) catalog from CISA.
 
  • Like
Reactions: Joel M, Trevor Chandler and jasoneckert
#4
Both CVEs and CWEs will show up on the results of any vulnerability assessment (e.g., from OpenVAS, Nessus, etc.), so like Brian, I cover them in any security class that covers how to perform, analyze, and create action reports using these programs.

However, CVEs match known vulnerabilities that have an attack vector and CVSS (i.e., those listed in the NVD database) while CWEs list insecure software and system configurations that may not have an associated CVE but are just as bad (e.g., EOL OS version, insecure permissions on key system files, cookie attributes not set in Apache, etc.).
 
  • Like
Reactions: Joel M and Trevor Chandler
#5
precious said:
@Trevor Chandler
CVEs (Common Vulnerabilities and Exposures) are directly addressed in CompTIA Security+ SY0-601 in Objective 1.7 Summarize the techniques used in security assessments.

CWE (Common Weakness Enumeration) is also addressed in CompTIA Pentest+ PT0-003 objective 4.1 Given a scenario, analyze output to prioritize and prepare attacks.
Click to expand...
Wonderful! Thank you precious!!!!
 
#6
BrianFord said:
Great question, Professor Chandler! CVEs are covered in Security+, CySA+, and CASP+/SecurityX. CWEs are not explicitly covered in CySA+, but I always include them in my presentation of CVEs and CVSS, being super careful to point out that they are not in the exam objectives. CWEs are essential when trying to match defensive strategy to your attack surface. Without CWEs, you must map many different CVEs to your defenses. Use CWEs instead. I still suggest mapping CVEs that are high profile, like those that appear on the Known Exploited Vulnerabilities (KEV) catalog from CISA.
Click to expand...
Thank you very much Mr. Brian Ford! Enlightening responses like yours are why I bring this type of query to this community!!!!
 
#7
jasoneckert said:
Both CVEs and CWEs will show up on the results of any vulnerability assessment (e.g., from OpenVAS, Nessus, etc.), so like Brian, I cover them in any security class that covers how to perform, analyze, and create action reports using these programs.

However, CVEs match known vulnerabilities that have an attack vector and CVSS (i.e., those listed in the NVD database) while CWEs list insecure software and system configurations that may not have an associated CVE but are just as bad (e.g., EOL OS version, insecure permissions on key system files, cookie attributes not set in Apache, etc.).
Click to expand...
Jason E, your commentary compressed a 15-page explanation into a couple of sentences - digestible and comprehendible!!! Thank you for your response. By the way, what algorithm did you use to perform this compression :)
 
  • Like
Reactions: jasoneckert
You must log in or register to reply here.
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply
Home
Media
Resources
Menu