**3.3 Framework libraries for malware and software developments**

In addition to developing a standardized framework, NIST and MITRE.org have worked tirelessly to produce a standardized dictionary for attack and malware. For example, they have produced the *Common Attack Pattern Enumeration and Classification (CAPEC)* [20] to classify attacks. NIST maintains the *National Vulnerability Database (NVD)* [21] to identify products with well-known vulnerabilities. In addition to attacks, these organizations are iteratively developing vulnerability dictionaries. For example, MITER sponsors the *Common Weakness Enumeration (CWE)* [22] and NIST sponsors the *Bug Framework (BF)* [23, 24]). These standardized frameworks are purposefully agnostic to vendors, languages, and industry sectors. They have been instrumental and essential for industry, government, and

**Figure 5.** *NIST's generic risk model with key risk factors.*

**Figure 6.** *NIST risk assessment process.*

academia to discuss and communicate software vulnerabilities, assurances, and development techniques. As humans need a standard spoken dictionary to communicate with each other on day-to-day activities, so do they need a similar dictionary to discuss technical activities.
