Secure Coding mailing list archives
Bugs and flaws
From: crispin at novell.com (Crispin Cowan)
Date: Wed, 01 Feb 2006 14:07:29 -0800
John Steven wrote:
I'm not sure there's any value in discussing this minutia further, but here goes:
We'll let the moderator decide that :)
1) Crispin, I think you've nailed one thing. The continuum from: Architecture --> Design --> Low-level Design --> (to) Implementation is a blurry one, and certainly slippery as you move from 'left' to 'right'.
Cool.
But, we all should understand that there's commensurate blur in our analysis techniques (aka architecture and code review) to assure that as we sweep over software that we uncover both bugs and architectural flaws.
Also agreed.
2) Flaws are different in important ways bugs when it comes to presentation, prioritization, and mitigation. Let's explore by physical analog first.
I disagree with the word usage. To me, "bug" and "flaw" are exactly synonyms. The distinction being drawn here is between "implementation flaws" vs. "design flaws". You are just creating confusing jargon to claim that "flaw" is somehow more abstract than "bug". Flaw ::= defect ::= bug. A vulnerability is a special subset of flaws/defects/bugs that has the property of being exploitable.
I nearly fell through one of my consultant's tables as I leaned on it this morning. We explored: "Bug or flaw?".
The wording issue aside, at the implementation level you try to code/implement to prevent flaws, by doing things such as using higher quality steel (for bolts) and good coding practices (for software). At the design level, you try to design so as to *mask* flaws by avoiding single points of failure, doing things such as using 2 bolts (for tables) and using access controls to limit privilege escalation (for software). Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption
Current thread:
- Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Crispin Cowan (Feb 01)
- Bugs and flaws Wall, Kevin (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws Crispin Cowan (Feb 02)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws David Crocker (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)