This thread sure has opened up some lively debate...

Gary McGraw wrote:

As a matter of practice, I usually use the terms that you suggested as
modifiers and say:

implementation bug
design flaw
software defect
FWIW, I like to use the nomenclature "security defect" as an all-encompassing term, irrespective of design vs. implementation. Then, quite frankly, I think that the choice of "bug" or "flaw" is far less important than putting them into the appropriate _context_ -- which is why I also generally use the above "implementation bug" and "design flaw". I do think that the distinction is important, even though I agree with the thought that it's pretty much of a continuum across the spectrum. From a pragmatic viewpoint, one of the important distinctions is how one would go about rectifying the defect. An implementation bug can often times be fixed in a couple lines of code (e.g., strncpy vs. strcpy), whereas a design flaw may well require going "back to the drawing board" and fixing an underlying architectural weakness. This is, of course, irrespective of how the problem was found.

I'll also point out that none of three of the above terms even mention security. They could be functional defects as well as security defects, which is just fine, IMHO.


Ken van Wyk

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to