[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is a security bug?



* Jasper Filon:

> Well, obviously it is not a _security_ bug, since it has nothing to do
> with security.

Availability is typically considered one aspect of security (and
arguably the hardest one to get right in networked applications).

For example, here's a quote from FIPS 199:

| Security Objectives
| 
| The FISMA defines three security objectives for information and
| information systems:
| 
| CONFIDENTIALITY
| 
| "Preserving authorized restrictions on information access and
| disclosure, including means for protecting personal privacy and
| proprietary information..." [44 U.S.C., Sec. 3542]
| 
| A loss of confidentiality is the unauthorized disclosure of information.
| 
| INTEGRITY
| 
| "Guarding against improper information modification or destruction,
| and includes ensuring information non-repudiation and authenticity..."
| [44 U.S.C., Sec. 3542]
| 
| A loss of integrity is the unauthorized modification or destruction of
| information.
| 
| AVAILABILITY
| 
| "Ensuring timely and reliable access to and use of information..." [44
| U.S.C., SEC. 3542]
| 
| A loss of availability is the disruption of access to or use of
| information or an information system.

As far as as I know, these definitions are widely accepted and guide
most vendor security efforts.

Maybe the example I gave is not a security bug, but I think you need a
more convincing argument than "it's just a crash".



Reply to: