By Larry J. Hughes, Jr. (larry.hughes@infosecintrospect.com)

What exactly is a security bug?

Virtually everyone vaguely familiar with the Internet — indeed, computers — has a vague sense of the term. After all, security bugs cause security problems, and we all know what those are.

Techies, of course, have a superior sense of the term. Yet none that I’ve asked to date — admittedly a fraction relative to the qualifying population — have given me a good definition. By that I mean one that is both (a) comprehensive enough to satisfy techies, and (b) understandable enough to satisfy laity.

This lack of a good definition bothers me, though not for the reasons you might think. I understand that security bug, like security itself, is an abstraction, and that abstractions are defined mostly by group-think.

What bothers me is that in in the course of pushing security bugs, and more generally security vis-a-vis technology to the forefront of our online consciousness, we have objectified it to it’s logical extreme without ever having defined it. I want to go on the record as saying this is dangerous.

Over time I’ll have a lot to say about why it’s dangerous. Meanwhile, I’ve broken ground for what I think is a good definition of security bug at http://en.wikipedia.org/wiki/Security_bug.