The best definition for "flaw" and "bug" I've heard so far is that a flaw is
a successful implementation of your intent, while a bug is unintentional. I
think I've also heard "a bug is small", a flaw is big", but that definition
is awfully squishy.
If the difference between a bug and a flaw is indeed one of intent, then I
don't think it's a useful distinction. Intent rarely brings with it other
dependable characteristics.
I've also heard "bugs are things that a static analysis tool can find", but
I don't think that really captures it either. For example, it's easy for a
static analysis tool to point out that the following Java statement implies
that the program is using weak cryptography:
SecretKey key = KeyGenerator.getInstance("DES").generateKey();
Brian
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
