Secure Coding mailing list archives

Bugs and flaws

From: gem at cigital.com (Gary McGraw)
Date: Mon, 6 Feb 2006 23:13:24 -0500

Hi all,

I'm afraid I don't concur with this definition.  Here's a (rather vague) flaw example that may help clarify what I 
mean.  Think about an error of omission where an API is exposed with no A&A protection whatsoever.  This API may have 
been designed not to have been exposed originally, but somehow  became exposed only over time.

How do you find errors of omission with a static analysis tool?  

This is only one of salzer and schroeder's principles in action.  What of the other 9?

gem

P.s. Five points to whoever names the principle in question.

P.p.s. The book is out www.swsec.com

 -----Original Message-----
From:   Brian Chess [mailto:brian at fortifysoftware.com]
Sent:   Sat Feb 04 00:56:16 2006
To:     sc-l at securecoding.org
Subject:        RE: [SC-L] Bugs and flaws

The best definition for "flaw" and "bug" I've heard so far is that a flaw is
a successful implementation of your intent, while a bug is unintentional.  I
think I've also heard "a bug is small", a flaw is big", but that definition
is awfully squishy.

If the difference between a bug and a flaw is indeed one of intent, then I
don't think it's a useful distinction.  Intent rarely brings with it other
dependable characteristics.

I've also heard "bugs are things that a static analysis tool can find", but
I don't think that really captures it either.  For example, it's easy for a
static analysis tool to point out that the following Java statement implies
that the program is using weak cryptography:

    SecretKey key = KeyGenerator.getInstance("DES").generateKey();

Brian

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

Current thread:

Bugs and flaws, (continued)
- - Bugs and flaws James Stibbards (Feb 03)
  - Bugs and flaws Crispin Cowan (Feb 03)
    - Bugs and flaws Dana Epp (Feb 03)
    - Bugs and flaws Crispin Cowan (Feb 07)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Brian Chess (Feb 03)
- Bugs and flaws Nick FitzGerald (Feb 03)
- Bugs and flaws Evans, Arian (Feb 06)
- Bugs and flaws Evans, Arian (Feb 06)
  - Where to read about construction quality software ljknews (Feb 06)
- Bugs and flaws Gary McGraw (Feb 06)
  - Bugs and flaws Jeff Williams (Feb 07)
    - Bugs and flaws Julie Ryan (Feb 07)
    - Bugs and flaws Gunnar Peterson (Feb 07)
- Bugs and flaws Gary McGraw (Feb 06)