“Security bug”的意思、由来-开放百科全书

词条

Security bug

释义

Causes
Taxonomy
Mitigation
See also
References
Further reading

A security bug or security defect is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Security bugs introduce security vulnerabilities by compromising one or more of:

Authentication of users and other entities ^[1]
Authorization of access rights and privileges ^[1]
Data confidentiality
Data integrity

Security bugs need not be identified nor exploited to qualify as such.

Causes

Security bugs, like all other software bugs, stem from root causes that can generally be traced to either absent or inadequate:^[2]

Software developer training
Use case analysis
Software engineering methodology
Quality assurance testing
...and other best practices

Taxonomy

Security bugs generally fall into a fairly small number of broad categories that include:^[3]

Memory safety (e.g. buffer overflow and dangling pointer bugs)
Race condition
Secure input and output handling
Faulty use of an API
Improper use case handling
Improper exception handling
Resource leaks, often but not always due to improper exception handling
Preprocessing input strings after they are checked for being acceptable.

Mitigation

See software security assurance.

References

1. ^¹{{cite web|title=CWE/SANS TOP 25 Most Dangerous Software Errors|url=http://cwe.mitre.org/top25/index.html#CWE-306|publisher=SANS|accessdate=13 July 2012}}
2. ^{{cite web|url=http://swreflections.blogspot.com/2008/11/software-quality-and-software-security.html|title=Software Quality and Software Security|date=2008-11-02|access-date=2017-04-28}}
3. ^{{cite web|url=https://www.researchgate.net/publication/220885085_Security_vulnerability_categories_in_major_software_systems|title=Security vulnerability categories in major software systems|date=2006-01-01|access-date=2017-04-28}}

Causes

Taxonomy

Mitigation

See also

References

Further reading