Security bug

<templatestyles src="Module:Hatnote/styles.css"></templatestyles>

A security bug or security defect is a software bug that can be exploited to gain unauthorized access or privileges on a computer system. Security bugs introduce security vulnerabilities by compromising one or more of:

• Authentication of users and other entities ^[1]
• Authorization of access rights and privileges ^[2]
• Data confidentiality
• Data integrity

Security bugs need not be identified, surfaced nor exploited to qualify as such.

Causes

<templatestyles src="Module:Hatnote/styles.css"></templatestyles>

Security bugs, like all other software bugs, stem from root causes that can generally be traced to either absent or inadequate:

• Software developer training
• Use case analysis
• Software engineering methodology
• Quality assurance testing
• ...and other best practices

Taxonomy

Security bugs generally fall into a fairly small number of broad categories that include:

• Memory safety (e.g. buffer overflow and dangling pointer bugs)
• Race condition
• Secure input and output handling
• Faulty use of an API
• Improper use case handling
• Improper exception handling
• Resource leaks, often but not always due to improper exception handling
• Preprocessing input strings after they are checked for being acceptable.

Mitigation

See Software Security Assurance.

See also

• Computer security
• Hacking: The Art of Exploitation Second Edition
• IT risk
• Threat (computer)
• Vulnerability (computing)

References

<templatestyles src="Reflist/styles.css" />

1. ↑ Lua error in package.lua at line 80: module 'strict' not found.
2. ↑ Lua error in package.lua at line 80: module 'strict' not found.