Secure Coding mailing list archives

Bugs and flaws

From: brian at fortifysoftware.com (Brian Chess)
Date: Fri, 03 Feb 2006 17:51:41 -0800

The best definition for "flaw" and "bug" I've heard so far is that a flaw is
a successful implementation of your intent, while a bug is unintentional.  I
think I've also heard "a bug is small", a flaw is big", but that definition
is awfully squishy.

If the difference between a bug and a flaw is indeed one of intent, then I
don't think it's a useful distinction.  Intent rarely brings with it other
dependable characteristics.

I've also heard "bugs are things that a static analysis tool can find", but
I don't think that really captures it either.  For example, it's easy for a
static analysis tool to point out that the following Java statement implies
that the program is using weak cryptography:

    SecretKey key = KeyGenerator.getInstance("DES").generateKey();

Brian

Current thread:

Bugs and flaws, (continued)
- - - Bugs and flaws Greg Beeley (Feb 03)
- Bugs and flaws Brian Chess (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Gary McGraw (Feb 03)
  - Bugs and flaws James Stibbards (Feb 03)
  - Bugs and flaws Crispin Cowan (Feb 03)
    - Bugs and flaws Dana Epp (Feb 03)
    - Bugs and flaws Crispin Cowan (Feb 07)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Brian Chess (Feb 03)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Evans, Arian (Feb 06)
- Bugs and flaws Evans, Arian (Feb 06)
  - Where to read about construction quality software ljknews (Feb 06)
- Bugs and flaws Gary McGraw (Feb 06)
  - Bugs and flaws Jeff Williams (Feb 07)
    - Bugs and flaws Julie Ryan (Feb 07)
    - Bugs and flaws Gunnar Peterson (Feb 07)
- Bugs and flaws Gary McGraw (Feb 06)