security bug
{{merge to|Vulnerability (computer security)|discuss=Talk:Vulnerability (computer security)#Merge proposal|date=May 2025}}
{{Short description|Type of software bug}}
A security bug or security defect is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Security bugs introduce security vulnerabilities by compromising one or more of:
- Authentication of users and other entities{{cite web|title=CWE/SANS TOP 25 Most Dangerous Software Errors|url=http://cwe.mitre.org/top25/index.html#CWE-306|publisher=SANS|accessdate=13 July 2012}}
- Authorization of access rights and privileges
- Data confidentiality
- Data integrity
Security bugs do not need be identified nor exploited to be qualified as such and are assumed to be much more common than known vulnerabilities in almost any system.
Causes
{{main|Vulnerability (computing)}}
Security bugs, like all other software bugs, stem from root causes that can generally be traced to either absent or inadequate:{{cite web|url=http://swreflections.blogspot.com/2008/11/software-quality-and-software-security.html|title=Software Quality and Software Security|date=2008-11-02|access-date=2017-04-28}}
- Software developer training
- Use case analysis
- Software engineering methodology
- Quality assurance testing
- and other best practices
Taxonomy
Security bugs generally fall into a fairly small number of broad categories that include:{{Cite journal|last1=Alhazmi|first1=Omar H.|last2=Woo|first2=Sung-Whan|last3=Malaiya|first3=Yashwant K.|date=Jan 2006|title=Security vulnerability categories in major software systems|url=https://www.researchgate.net/publication/220885085|journal=Proceedings of the Third IASTED International Conference on Communication, Network, and Information Security}}
- Memory safety (e.g. buffer overflow and dangling pointer bugs)
- Race condition
- Secure input and output handling
- Faulty use of an API
- Improper use case handling
- Improper exception handling
- Resource leaks, often but not always due to improper exception handling
- Preprocessing input strings before they are checked for being acceptable
Mitigation
See also
References
{{Reflist}}
Further reading
- {{cite web| url=https://www.owasp.org/index.php/Top_10_2013-Top_10 |title=2013 Top 10 List |date=21 August 2015 |author=Open Web Application Security Project}}
- {{cite web|title=CWE/SANS TOP 25 Most Dangerous Software Errors|url=http://cwe.mitre.org/top25/index.html#CWE-862|publisher=SANS|accessdate=13 July 2012}}
{{Information security}}