BSIMM: Confessions of a Software Security Alchemist(informIT)

[list-spam at secureconsulting.net (Benjamin Tomhave)]

So, what you're saying is that "security bugs" are really design flaws,
assuming a perfect implementation of the design. Ergo, security bug is
at best a misnomer, and at worst a fatal deficiency in design acumen.

:)

-ben

Goertzel, Karen [USA] wrote:
> Except when they're hardware bugs. :)
>
> I think the differentiation is also meaningful in this regard: I can
> specify software that does non-secure things. I can implement that
> software 100% correctly. Ipso facto - no software bugs. But the fact
> remains that the software doesn't validate input because I didn't
> specify it to validate input, or it doesn't encrypt passwords because I
> didn't specify it to do so. I built to spec; it just happened to be a
> stupid spec. So the spec is flawed - but the implemented software
> conforms to that stupid spec 100%, so by definition it not flawed. It
> is, however, non-secure.
>
> --
> Karen Mercedes Goertzel, CISSP
> Booz Allen Hamilton
> 703.698.7454
> goertzel_karen at bah.com
>
>
>
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org on behalf of Benjamin Tomhave
> Sent: Thu 19-Mar-09 19:28
> To: Secure Code Mailing List
> Subject: Re: [SC-L] BSIMM: Confessions of a Software Security
> Alchemist(informIT)
>
> Why are we differentiating between "software" and "security" bugs? It
> seems to me that all bugs are software bugs, ...

-- 
Benjamin Tomhave, MS, CISSP
falcon at secureconsulting.net
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Hartree's Law: "Whatever the state of a project, the time a
project-leader will estimate for completion is constant."
http://globalnerdy.com/2007/07/18/laws-of-software-development/