This thread sure has opened up some lively debate...
Gary McGraw wrote:
FWIW, I like to use the nomenclature "security defect" as an
all-encompassing term, irrespective of design vs. implementation. Then,
quite frankly, I think that the choice of "bug" or "flaw" is far less
important than putting them into the appropriate _context_ -- which is
why I also generally use the above "implementation bug" and "design flaw".
I do think that the distinction is important, even though I agree with
the thought that it's pretty much of a continuum across the spectrum.
From a pragmatic viewpoint, one of the important distinctions is how
one would go about rectifying the defect. An implementation bug can
often times be fixed in a couple lines of code (e.g., strncpy vs.
strcpy), whereas a design flaw may well require going "back to the
drawing board" and fixing an underlying architectural weakness. This
is, of course, irrespective of how the problem was found.
As a matter of practice, I usually use the terms that you suggested as
modifiers and say:
I'll also point out that none of three of the above terms even mention
security. They could be functional defects as well as security defects,
which is just fine, IMHO.
Ken van Wyk
Secure Coding mailing list (SC-L)
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php