Software defects that lead to security problems come in two major flavors — bugs in the implementation and flaws in the design. A majority of attention in the software security marketplace (too much, we think) is devoted to finding and fixing bugs, mostly because automated code review tools make that process straightforward. But flaws in the design and architecture of software account for 50% of security defects (see McGraw’s 2001 book Building Secure Software for more on this.)

In this article, we’ll explain the difference between bugs and flaws. More importantly, we’ll describe an architecture risk analysis (ARA) process that has proven to be useful in finding and fixing flaws.

What is the difference between a bug and a flaw? Perhaps some examples can help.


Bugs are found in software code (source or binary). One of the classic bugs of all time, the buffer overflow, has at its root the misuse of certain string handling functions in C. The most notorious such functions is gets() — a system call that gets input from a user until the user decides to hit return. Imagine a fixed size buffer or something like an empty drinking glass. Then imagine that you set up things to get more input than fits in the glass (and the attacker is “pouring”). If you pour too much water into a glass and overfill it, water spills all over the counter. In the case of a buffer overflow in C, too much input can overwrite the heap or even overwrite the stack in such a way as to take control of the process. Simple bug. Awful repercussions. (And in the case of gets(), particularly easy to find in source code.)

Hundreds of system calls exist in C that can lead to security bugs if they are used incorrectly, ranging from string handling functions to integer overflow and integer underflow hazards. And there are just as many bugs in Java and other languages. There are also common bugs in Web applications (think cross-site scripting or cross-site request forgery) and bugs related to databases (like SQL injection).

There’s an endless parade of bugs (and, by the way, there are way more than ten). The fact is, there are so many possible bugs that it makes sense to adopt and use a tool to find them. The many commercial source code review tools available include HP’s Fortify, IBM AppScan Source, Coverity Inc.’s Quality Advisor, and Klocwork Inc.’s Clocwork Insight. The latest twist in source code review is to integrate bug finding directly into each developer’s integrated development environment (IDE), so that bugs are uncovered as close to conception as possible. For example, Cigital Inc.’s SecureAssist does this.

Opinion: Software [in]security — software flaws in application architecture

Microsoft logiciel Office 2010 télécharger pour pas cher.

Microsoft Office Famille et Petite Entreprise 2010 à partir de Microsoft Office 2013.

Salesforce CEO Marc Benioff: Bill Gates needs to come back to Microsoft and fire some people