Dec 27 2006
By Larry J. Hughes, Jr. (larry.hughes@infosecintrospect.com)
What exactly is a security bug?
Virtually everyone vaguely familiar with the Internet — indeed, computers — has a vague sense of the term. After all, security bugs cause security problems, and we all know what those are.
Techies, of course, have a superior sense of the term. Yet none that I’ve asked to date — admittedly a fraction relative to the qualifying population — have given me a good definition. By that I mean one that is both (a) comprehensive enough to satisfy techies, and (b) understandable enough to satisfy laity.
This lack of a good definition bothers me, though not for the reasons you might think. I understand that security bug, like security itself, is an abstraction, and that abstractions are defined mostly by group-think.
What bothers me is that in in the course of pushing security bugs, and more generally security vis-a-vis technology to the forefront of our online consciousness, we have objectified it to it’s logical extreme without ever having defined it. I want to go on the record as saying this is dangerous.
Over time I’ll have a lot to say about why it’s dangerous. Meanwhile, I’ve broken ground for what I think is a good definition of security bug at http://en.wikipedia.org/wiki/Security_bug.
Related posts:
Posted by Larry J. Hughes, Jr. on Wednesday, December 27th, 2006, at 5:00 pm, and filed under Articles, Technical.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Ben Field | 30-Dec-06 at 3:50 am | Permalink
Larry, identifying a security bug by its benefit to unauthorized users rather than its disservice to authorized users is an approach I haven’t heard before. My neighbors do get more benefit from my internet connection whenever UpNP malfunctions and resets my wireless router to factory defaults, clearing all security settings. But in the event of poorly paying exploits, would the benefit be to quench the author’s thirst for villainy? If bugs depend at all on being exploited to realize a benefit, would the identifying mark be that they offer potential of benefit for an unauthorized party if properly exploited? A lay person might more readily understand the premise stated negatively: “has the potential of causing the system not to benefit the intended party.” This would also seem to cover any kind of denial of service, though, an implication which maybe should be avoided.
Larry J. Hughes, Jr. | 03-Jan-07 at 2:46 pm | Permalink
Ben, I have since clarified and expanded the language on the wikipedia article. I like really terse definitions, and I agree that this one came out too narrow. To clarify one point re: benefit, it needn’t be monetary - any gain will do, including just making someone angry if that’s the goal. I’ll add another point here, though I refrained from editorializing in wikipedia: I personally do not see DoS as a security issue at all. There are plenty of cases where DoS can trigger or aggravate security problems, but I can’t think of a single case where it is the problem. I’ll adress that in a not-too-distant post about security and root cause analysis.