Bugs and flaws

[gunnar at arctecgroup.net (Gunnar Peterson)]

Perhaps a useful distinction that we could to assign responsibility is to
separate concerns in algorithms from the concerns of the system as a whole.
Butler Lampson describes how designing a computer system is different from
designing an algorithm:

"The external interface (that is, the requirement) is less precisely defined,
more complex, and more subject to change.
The system has much more internal structure, and hence many internal interfaces.
The measure of success is much less clear."

In the WMF case was the system supposed to protect the algorithm or should the
algorithm have been able to defend itself?

-gp


>  -----Original Message-----
> From:         Brian Chess [mailto:brian at fortifysoftware.com]
> Sent: Sat Feb 04 00:56:16 2006
> To:   sc-l at securecoding.org
> Subject:      RE: [SC-L] Bugs and flaws
>
> The best definition for "flaw" and "bug" I've heard so far is that a flaw is
> a successful implementation of your intent, while a bug is unintentional.  I
> think I've also heard "a bug is small", a flaw is big", but that definition
> is awfully squishy.
>
> If the difference between a bug and a flaw is indeed one of intent, then I
> don't think it's a useful distinction.  Intent rarely brings with it other
> dependable characteristics.
>
> I've also heard "bugs are things that a static analysis tool can find", but
> I don't think that really captures it either.  For example, it's easy for a
> static analysis tool to point out that the following Java statement implies
> that the program is using weak cryptography:
>
>     SecretKey key = KeyGenerator.getInstance("DES").generateKey();
>
> Brian
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>
>
>
>
> ----------------------------------------------------------------------------
> This electronic message transmission contains information that may be
> confidential or privileged.  The information contained herein is intended
> solely for the recipient and use by any other party is not authorized.  If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited.  If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message.  Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> ----------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php