Bugs and flaws

[Ken at KRvW.com (Kenneth R. van Wyk)]

This thread sure has opened up some lively debate...

Gary McGraw wrote:

> As a matter of practice, I usually use the terms that you suggested as
> modifiers and say:
>
> implementation bug
> design flaw
> software defect
>  
FWIW, I like to use the nomenclature "security defect" as an 
all-encompassing term, irrespective of design vs. implementation.  Then, 
quite frankly, I think that the choice of "bug" or "flaw" is far less 
important than putting them into the appropriate _context_ -- which is 
why I also generally use the above "implementation bug" and "design flaw". 

I do think that the distinction is important, even though I agree with 
the thought that it's pretty much of a continuum across the spectrum.  
 From a pragmatic viewpoint, one of the important distinctions is how 
one would go about rectifying the defect.  An implementation bug can 
often times be fixed in a couple lines of code (e.g., strncpy vs. 
strcpy), whereas a design flaw may well require going "back to the 
drawing board" and fixing an underlying architectural weakness.  This 
is, of course, irrespective of how the problem was found.

I'll also point out that none of three of the above terms even mention 
security.  They could be functional defects as well as security defects, 
which is just fine, IMHO.

Cheers,

Ken van Wyk