Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Security bug
open-in-new
<h2 id="causes">Causes</h2> <p class="note">Main article: <a href="/facts/Vulnerability_(computing)/jg0Gr71M">Vulnerability (computing)</a></p> <p>Security bugs, like all other <a href="/facts/Software_bugs/I1uSXySv">software bugs</a>, stem from <a href="/facts/Root_cause_analysis/a3Da5qJI">root causes</a> that can generally be traced to either absent or inadequate:<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> </p> <ul><li><a href="/facts/Software_developer/WGTS1Jv9">Software developer</a> training</li> <li><a href="/facts/Use_case/8pNHjsIr">Use case</a> analysis</li> <li><a href="/facts/Software_engineering_methodology/cIDtuNPN">Software engineering methodology</a></li> <li><a href="/facts/Quality_assurance/BhDeyhel">Quality assurance</a> testing</li> <li>and other <a href="/facts/Best_practice/HkqedbtQ">best practices</a></li></ul> <h2 id="taxonomy">Taxonomy</h2> <p>Security bugs generally fall into a fairly small number of broad categories that include:<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <ul><li><a href="/facts/Memory_safety/sMWW6SY8">Memory safety</a> (e.g. <a href="/facts/Buffer_overflow/uMFduL4B">buffer overflow</a> and <a href="/facts/Dangling_pointer/WowANVwK">dangling pointer</a> bugs)</li> <li><a href="/facts/Race_condition/bvNpgy4F">Race condition</a></li> <li>Secure input and output handling</li> <li>Faulty use of an <a href="/facts/API/GMlN4vUr">API</a></li> <li>Improper <a href="/facts/Use_case/8pNHjsIr">use case</a> handling</li> <li>Improper <a href="/facts/Exception_handling/VrJxgb9r">exception handling</a></li> <li><a href="/facts/Resource_leak/6zxNKPXA">Resource leaks</a>, often but not always due to improper exception handling</li> <li>Preprocessing input strings before they are checked for being acceptable</li></ul> <h2 id="mitigation">Mitigation</h2> <p>See <a href="/facts/Software_security_assurance/4wyxlyqU">software security assurance</a>. </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Computer_security/7E5dIy7G">Computer security</a></li> <li><a href="/facts/Hacking%3a_The_Art_of_Exploitation/NCHdU25o">Hacking: The Art of Exploitation</a></li> <li><a href="/facts/IT_risk/ypuDa6CL">IT risk</a></li> <li><a href="/facts/Threat_(computer)/5RHTbSac">Threat (computer)</a></li> <li><a href="/facts/Vulnerability_(computing)/jg0Gr71M">Vulnerability (computing)</a></li> <li><a href="/facts/Hardware_bug/dsCVKPmN">Hardware bug</a></li> <li><a href="/facts/Secure_coding/lob7nHBI">Secure coding</a></li></ul> <h2 id="further-reading">Further reading</h2> <ul><li>Open Web Application Security Project (21 August 2015). <a href="https://www.owasp.org/index.php/Top_10_2013-Top_10">"2013 Top 10 List"</a>.</li> <li><a href="http://cwe.mitre.org/top25/index.html#CWE-862">"CWE/SANS TOP 25 Most Dangerous Software Errors"</a>. SANS. Retrieved 13 July 2012.</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"CWE/SANS TOP 25 Most Dangerous Software Errors". SANS. Retrieved 13 July 2012. <a href="http://cwe.mitre.org/top25/index.html#CWE-306" target="_blank">http://cwe.mitre.org/top25/index.html#CWE-306</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"CWE/SANS TOP 25 Most Dangerous Software Errors". SANS. Retrieved 13 July 2012. <a href="http://cwe.mitre.org/top25/index.html#CWE-306" target="_blank">http://cwe.mitre.org/top25/index.html#CWE-306</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Software Quality and Software Security". 2008-11-02. Retrieved 2017-04-28. <a href="http://swreflections.blogspot.com/2008/11/software-quality-and-software-security.html" target="_blank">http://swreflections.blogspot.com/2008/11/software-quality-and-software-security.html</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Alhazmi, Omar H.; Woo, Sung-Whan; Malaiya, Yashwant K. (Jan 2006). "Security vulnerability categories in major software systems". Proceedings of the Third IASTED International Conference on Communication, Network, and Information Security. <a href="https://www.researchgate.net/publication/220885085" target="_blank">https://www.researchgate.net/publication/220885085</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> </ol>