Secure Coding mailing list archives
Bugs and flaws
From: gem at cigital.com (Gary McGraw)
Date: Thu, 2 Feb 2006 11:02:36 -0500
Hi all, When I introduced the "bugs" and "flaws" nomenclature into the literature, I did so in an article about the software security workshop I chaired in 2003 (see http://www.cigital.com/ssw/). This was ultimately written up in an "On the Horizon" paper published by IEEE Security & Privacy. Nancy Mead and I queried the SWEBOK and looked around to see if the new usage caused collision. It did not. The reason I think it is important to distinguish the two ends of the rather slippery range (crispy is right about that) is that software security as a field is not paying enough attention to architecture. By identifying flaws as a subcategory of defects (according the the SWEBOK), we can focus some attention on the problem.
From the small glossary in "Software Security" (my new book out
tomorrow): Bug-A bug is an implementation-level software problem. Bugs may exist in code but never be executed. Though the term bug is applied quite generally by many software practitioners, I reserve use of the term to encompass fairly simple implementation errors. Bugs are implementation-level problems that can be easily discovered and remedied. See Chapter 1. Flaw-A design-level or architectural software defect. High-level defects cause 50% of software security problems. See Chapter 1. In any case, I intend to still use these terms like this, and I would be very pleased if you would all join me. gem ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ----------------------------------------------------------------------------
Current thread:
- Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Crispin Cowan (Feb 01)
- Bugs and flaws Wall, Kevin (Feb 02)
- Bugs and flaws John Steven (Feb 02)
- Bugs and flaws Crispin Cowan (Feb 02)
- Bugs and flaws John Steven (Feb 01)
- Bugs and flaws Jeff Williams (Feb 02)
- Bugs and flaws Crispin Cowan (Jan 31)
- Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws David Crocker (Feb 02)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Blue Boar (Feb 02)
- Bugs and flaws Al Eridani (Feb 03)
- Bugs and flaws Chris Wysopal (Feb 02)
- Bugs and flaws Gunnar Peterson (Feb 02)
- Bugs and flaws Kenneth R. van Wyk (Feb 03)