Secure Coding mailing list archives
Bugs and flaws
From: Kevin.Wall at qwest.com (Wall, Kevin)
Date: Thu, 2 Feb 2006 07:53:56 -0600
John Steven wrote: ...
2) Flaws are different in important ways bugs when it comes to presentation, prioritization, and mitigation. Let's explore by physical analog first.
Crispin Cowan responded:
I disagree with the word usage. To me, "bug" and "flaw" are exactly synonyms. The distinction being drawn here is between "implementation flaws" vs. "design flaws". You are just creating confusing jargon to claim that "flaw" is somehow more abstract than "bug". Flaw ::= defect ::= bug. A vulnerability is a special subset of flaws/defects/bugs that has the property of being exploitable.
I'm not sure if this will clarify things or further muddy the waters, but... partial definitions taken SWEBOK (http://www.swebok.org/ironman/pdf/Swebok_Ironman_June_23_%202004.pdf) which in turn were taken from the IEEE standard glossary (IEEE610.12-90) are: + Error: "A difference between a computed result and the correct result" + Fault: "An incorrect step, process, or data definition in a computer program" + Failure: "The [incorrect] result of a fault" + Mistake: "A human action that produces an incorrect result" Not all faults are manifested as errors. I can't find an online version of the glossary anywhere, and the one I have is about 15-20 years old and buried somewhere deep under a score of other rarely used books. My point is though, until we start with some standard terminology this field of information security is never going to mature. I propose that we build on the foundational definitions of the IEEE-CS (unless there definitions have "bugs" ;-). -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall at qwest.com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit
Current thread:
- Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Crispin Cowan (Feb 01)
- Bugs and flaws Wall, Kevin (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws Crispin Cowan (Feb 02)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws David Crocker (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Blue Boar (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)