Security bug
From Wikipedia, the free encyclopedia
 |
This article needs additional citations for verification. (September 2014) (Learn how and when to remove this template message) |
See also: Vulnerability (computing)
A security bug or security defect is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Security bugs introduce security vulnerabilities by compromising one or more of:
- Authentication of users and other entities [1]
- Authorization of access rights and privileges [2]
- Data confidentiality
- Data integrity
Security bugs need not be identified, surfaced nor exploited to qualify as such.
Contents
Causes[edit]
Main article: Vulnerability (computing)
Security bugs, like all other software bugs, stem from root causes that can generally be traced to either absent or inadequate:
- Software developer training
- Use case analysis
- Software engineering methodology
- Quality assurance testing
- ...and other best practices
Taxonomy[edit]
Security bugs generally fall into a fairly small number of broad categories that include:
- Memory safety (e.g. buffer overflow and dangling pointer bugs)
- Race condition
- Secure input and output handling
- Faulty use of an API
- Improper use case handling
- Improper exception handling
- Resource leaks, often but not always due to improper exception handling
- Preprocessing input strings after they are checked for being acceptable.
Mitigation[edit]
See Software Security Assurance.
See also[edit]
- Computer security
- Hacking: The Art of Exploitation Second Edition
- IT risk
- Threat (computer)
- Vulnerability (computing)
References[edit]
- ^ "CWE/SANS TOP 25 Most Dangerous Software Errors". SANS. Retrieved 13 July 2012.
- ^ "CWE/SANS TOP 25 Most Dangerous Software Errors". SANS. Retrieved 13 July 2012.
