John Steven wrote: ... > 2) Flaws are different in important ways bugs when it comes to presentation, > prioritization, and mitigation. Let's explore by physical analog first.
Crispin Cowan responded: > I disagree with the word usage. To me, "bug" and "flaw" are exactly > synonyms. The distinction being drawn here is between "implementation > flaws" vs. "design flaws". You are just creating confusing jargon to > claim that "flaw" is somehow more abstract than "bug". Flaw ::= defect > ::= bug. A vulnerability is a special subset of flaws/defects/bugs that > has the property of being exploitable. I'm not sure if this will clarify things or further muddy the waters, but... partial definitions taken SWEBOK (http://www.swebok.org/ironman/pdf/Swebok_Ironman_June_23_%202004.pdf) which in turn were taken from the IEEE standard glossary (IEEE610.12-90) are: + Error: "A difference between a computed result and the correct result" + Fault: "An incorrect step, process, or data definition in a computer program" + Failure: "The [incorrect] result of a fault" + Mistake: "A human action that produces an incorrect result" Not all faults are manifested as errors. I can't find an online version of the glossary anywhere, and the one I have is about 15-20 years old and buried somewhere deep under a score of other rarely used books. My point is though, until we start with some standard terminology this field of information security is never going to mature. I propose that we build on the foundational definitions of the IEEE-CS (unless there definitions have "bugs" ;-). -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php