Secure Coding mailing list archives
Bugs and flaws
From: Ken at KRvW.com (Kenneth R. van Wyk)
Date: Fri, 03 Feb 2006 10:24:54 -0500
This thread sure has opened up some lively debate... Gary McGraw wrote:
As a matter of practice, I usually use the terms that you suggested as modifiers and say: implementation bug design flaw software defect
FWIW, I like to use the nomenclature "security defect" as an all-encompassing term, irrespective of design vs. implementation. Then, quite frankly, I think that the choice of "bug" or "flaw" is far less important than putting them into the appropriate _context_ -- which is why I also generally use the above "implementation bug" and "design flaw". I do think that the distinction is important, even though I agree with the thought that it's pretty much of a continuum across the spectrum. From a pragmatic viewpoint, one of the important distinctions is how one would go about rectifying the defect. An implementation bug can often times be fixed in a couple lines of code (e.g., strncpy vs. strcpy), whereas a design flaw may well require going "back to the drawing board" and fixing an underlying architectural weakness. This is, of course, irrespective of how the problem was found. I'll also point out that none of three of the above terms even mention security. They could be functional defects as well as security defects, which is just fine, IMHO. Cheers, Ken van Wyk
Current thread:
- Bugs and flaws, (continued)
- Bugs and flaws Gunnar Peterson (Feb 01)
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws David Crocker (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Blue Boar (Feb 02)
- Bugs and flaws Al Eridani (Feb 03)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Gunnar Peterson (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Kenneth R. van Wyk (Feb 03)
- Bugs and flaws Gavin, Michael (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws der Mouse (Feb 02)
- Bugs and flaws Wietse Venema (Feb 03)
- Bugs and flaws Greg Beeley (Feb 03)
- Bugs and flaws Brian Chess (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Jeff Williams (Feb 02)