Secure Coding mailing list archives

Bugs and flaws

From: jsteven at cigital.com (John Steven)
Date: Thu, 02 Feb 2006 09:12:32 -0500

Kevin,

Jeff Payne and I were talking about this last night. Jeff's position was,
"...Or, you could just use the existing quality assurance terminology and
avoid the problem altogether." I agree with you and him; standardizing
terminology is a great start to obviating confusing discussions about what
type of problem the software faces.

Re-reading my post, I realize that it came off as heavy support for
additional terminology. Truth is, we've found that the easiest way to
communicate this concept to our Consultants and Clients here at Cigital has
been to build the two buckets (flaws and bugs).

What I was really trying to present was that Security people could stand to
be a bit more thorough about how they synthesize the results of their
analysis before they communicate the vulnerabilities they've found, and what
mitigating strategies they suggest.

I guess, in my mind, the most important things with regard to classifying
the mistakes software people make that lead to vulnerability (the piety of
vulnerability taxonomies aside) is to support:

1) Selection of the most effective mitigating strategy -and-
2) Root cause analysis that will result in changes in software development
that prevent software folk from making the same mistake again.

-----
John Steven        
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc.          | jsteven at cigital.com

4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

From: "Wall, Kevin" <Kevin.Wall at qwest.com>

John Steven wrote:
...

2) Flaws are different in important ways bugs when it comes to presentation,
prioritization, and mitigation. Let's explore by physical analog first.


Crispin Cowan responded:

I disagree with the word usage. To me, "bug" and "flaw" are exactly
synonyms. The distinction being drawn here is between "implementation
flaws" vs. "design flaws". You are just creating confusing jargon to
claim that "flaw" is somehow more abstract than "bug". Flaw ::= defect
::= bug. A vulnerability is a special subset of flaws/defects/bugs that
has the property of being exploitable.


I'm not sure if this will clarify things or further muddy the waters,
but... partial definitions taken SWEBOK
(http://www.swebok.org/ironman/pdf/Swebok_Ironman_June_23_%202004.pdf)
which in turn were taken from the IEEE standard glossary
(IEEE610.12-90) are:
+ Error: "A difference.between a computed result and the correct result"
+ Fault: "An incorrect step, process, or data definition
          in a computer program"
+ Failure: "The [incorrect] result of a fault"
+ Mistake: "A human action that produces an incorrect result"

Not all faults are manifested as errors. I can't find an online
version of the glossary anywhere, and the one I have is about 15-20 years old
and buried somewhere deep under a score of other rarely used books.

My point is though, until we start with some standard terminology this
field of information security is never going to mature. I propose that
we build on the foundational definitions of the IEEE-CS (unless there
definitions have "bugs" ;-).

-kevin
---
Kevin W. Wall  Qwest Information Technology, Inc.
Kevin.Wall at qwest.com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

Current thread:

Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
  - Bugs and flaws John Steven (Feb 01)
    - Bugs and flaws Crispin Cowan (Feb 01)
    - Bugs and flaws Wall, Kevin (Feb 02)
    - Bugs and flaws John Steven (Feb 02)
    - Bugs and flaws Crispin Cowan (Feb 02)
    - Bugs and flaws Jeff Williams (Feb 02)
    - Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Chris Wysopal (Feb 02)
    - Bugs and flaws David Crocker (Feb 02)
    - Bugs and flaws Chris Wysopal (Feb 02)
    - Bugs and flaws Blue Boar (Feb 02)
    - Bugs and flaws Al Eridani (Feb 03)

(Thread continues...)