This site presents a taxonomy of software security errors developed by the Fortify Software Security Research Group together with Dr. Gary McGraw. Each vulnerability category is accompanied by a detailed description of the issue with references to original sources, and code excerpts, where applicable, to better illustrate the problem.
The organization of the classification scheme is described with the help of terminology borrowed from Biology: vulnerability categories are referred to as phyla, while collections of vulnerability categories that share the same theme are referred to as kingdoms. Vulnerability phyla are classified into "seven plus one" pernicious kingdoms presented in the order of importance to software security:
-
Input Validation and Representation
-
API Abuse
-
Security Features
-
Time and State
-
Errors
-
Code Quality
-
Encapsulation
-
*. Environment
The first seven kingdoms are associated with security defects in source code, while the last one describes security issues outside the actual code. To browse the kingdom and phylum descriptions, simply navigate the taxonomy tree on the left.
The primary goal of defining this taxonomy is to organize sets of security rules that can be used to help software developers understand the kinds of errors that have an impact on security. By better understanding how systems fail, developers will better analyze the systems they create, more readily identify and address security problems when they see them, and generally avoid repeating the same mistakes in the future.
When put to work in an analysis tool, a set of security rules organized according to this taxonomy is a powerful teaching mechanism. Because developers today are by and large unaware of the myriad ways they can introduce security problems into their work, making a taxonomy like this available should provide tangible benefits to the software security community.
Defining a better classification scheme can also lead to better tools: a better understanding of the problems will help researchers and practitioners create better methods for ferreting them out.
To read more about the taxonomy, please see Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors.
分享到:
相关推荐
Thus, software products are delivered to end users with costly errors. These costs are shared by virtually all businesses in the United States that depend on software for their development, ...
Software implementation errors are one of the most significant contributors to information system security vulnerabilities, making software testing an essential part of system assurance. Combinatorial...
Moreover, this book encourages programmers to adopt security best practices and to develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. Drawing on ...
2.Testing: This activity focuses on ensuring the quality of the software by identifying and fixing bugs, errors, and performance issues. Testing is done at different stages, including unit testing, ...
In case of issues or errors, the guide provides troubleshooting tips and solutions. Common problems may include licensing issues, performance bottlenecks, or compatibility problems with other software...
The text also examines security tools and techniques relevant to Windows 8 and explains how to troubleshoot startup errors and slowdowns. Labs for each chapter focus on support tools and techniques ...
- **Reporting Errors**: Users are encouraged to report any errors found in the documentation. - **U.S. Government Rights**: - Programs, software, databases, and related documentation delivered to U.S...
In today's digital age, the security of software applications is paramount. Criminal hackers have increasingly targeted web applications, exploiting vulnerabilities to access valuable personal or ...
Expert PHP and MySQL takes you beyond learning syntax to showing you how to apply proven software development methods to building commerce-grade ... Developers of real-world applications face numerous ...
List, categorize, and manage software that starts when you start or sign in to your computer, or when you run Microsoft Office or Internet Explorer Verify digital signatures of files, of running ...
This includes mechanisms for retrying failed operations, detecting and correcting errors, and logging errors for diagnostic purposes. 6. **Performance Optimization:** - To improve overall system ...
Additionally, knowledge of software engineering principles, such as database normalization, error handling, and security practices, would be crucial. Throughout the development process, testing and ...
With accelerating adoption amongst organizations of all types and sizes, SOA is increasingly becoming the mainstream paradigm for enterprise IT architecture and software development. SOA offers ...
5. **Security and Compliance**: Security features include access controls, audit trails, and encryption options to ensure compliance with regulatory requirements. These measures help protect sensitive...
While the userland applications are protected against faults in other userland applications, the entire system is vulnerable to errors in the kernel. This, combined with the vast amount of ...
In terms of the B/S (Browser/Server) structure, users access the system through a web browser, reducing the need for client-side software installations, making it more accessible and user-friendly....