Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Further Information on Attack Patterns

Author(s): Amit Sethi Sean Barnum Maturity Levels and Audience Indicators: / E  SDLC Life Cycles: Requirements  Testing  Copyright: Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.


Further information about Attack Patterns.

Attack patterns are a rather new concept and, as of yet, relatively little content is available for further reading. The References page in this content area lists some resources that may prove valuable. Specifically, the following resources are directly relevant and should be considered:

  • The Common Attack Pattern Enumeration and Classification (CAPEC) initiative sponsored by the Department of Homeland Security. The objective of this effort is to develop and deploy to the public an initial baseline catalog of attack patterns along with a comprehensive schema and classification taxonomy. It is hoped that, after its launch, this catalog will continue to form the standard mechanism for identifying, collecting, refining, and sharing attack patterns among the software community.
  • Exploiting Software: How to Break Code [Hoglund 04]
  • Attack Modeling for Information Security and Survivability [Moore 01]
  • Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs [Gegick 05]