Gary McCraw wrote:
> This month's informIT article covers the zombies:
[snip]
> * Software security defects come in two main flavorsābugs at the
> implementation level (code) and flaws at the architectural level (design)
So, two questions:
1) How is this (software *security* defects) different than any other software
defect?
It seems to me that these are also 2 main categories of software defects in
general.
2) In terms of "flavors", where do you see software security defects arising
from either incorrect
requirements or simply lack of specifications?
My experience with #2 is that poor specifications are a major contributor to
software
security defects, more so even than with software defects in general. That's
because generally
these specs are usually considered "non-functional requirements" and they get
missed
more by systems analysts simply because they are not something that the business
wants and therefore they aren't put into the reqts and thus never get built.
I'm not talking about the pseudo-PCI-like requirements that says things like
making
sure that you have no OWASP Top Ten vulnerabilities, but rather actual omission
of requirements such as failure to specify that data must be kept confidential,
or to access this data requires authorization by a certain role, or that an
audit
trail must be required for certain actions, etc.
I don't see how you can chalk these sorts of defects up to flaws at the
architecture level (unless you and I have drastically different views of
system architecture). The are outright omissions in the specifications
and because they are not there, the application team never even thinks
about building in that functionality. Bottom line: I think you are missing
a "flavor".
Thanks,
-kevin
--
Kevin W. Wall 614.215.4788 Qwest Risk Management / Information Security Team
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein, co-creator of MIME
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
