So from a countermeasure standpoint, a bug can and should be fixed locally,
while a flaw may require that the countermeasure exists at a different level of
abstraction. For example, I assume no one thinks (in OO at least) that input
validation is resident in every method, but rather called externally.

-gp

Quoting Gary McGraw <[EMAIL PROTECTED]>:

> Hi all,
>
> When I introduced the "bugs" and "flaws" nomenclature into the
> literature, I did so in an article about the software security workshop
> I chaired in 2003 (see http://www.cigital.com/ssw/).  This was
> ultimately written up in an "On the Horizon" paper published by IEEE
> Security & Privacy.
>
> Nancy Mead and I queried the SWEBOK and looked around to see if the new
> usage caused collision.  It did not.  The reason I think it is important
> to distinguish the two ends of the rather slippery range (crispy is
> right about that) is that software security as a field is not paying
> enough attention to architecture.  By identifying flaws as a subcategory
> of defects (according the the SWEBOK), we can focus some attention on
> the problem.
>
> >From the small glossary in "Software Security" (my new book out
> tomorrow):
>
> Bug-A bug is an implementation-level software problem. Bugs may exist in
> code but never be executed. Though the term bug is applied quite
> generally
> by many software practitioners, I reserve use of the term to encompass
> fairly
> simple implementation errors. Bugs are implementation-level problems
> that
> can be easily discovered and remedied. See Chapter 1.
>
> Flaw-A design-level or architectural software defect. High-level defects
> cause 50% of software security problems. See Chapter 1.
>
> In any case, I intend to still use these terms like this, and I would be
> very pleased if you would all join me.
>
> gem
>
>
>
> ----------------------------------------------------------------------------
> This electronic message transmission contains information that may be
> confidential or privileged.  The information contained herein is intended
> solely for the recipient and use by any other party is not authorized.  If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited.  If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message.  Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> ----------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
>

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to