0

I was reading "Software Security: Building Security In" and in the first chapter I faced with 3 terms: bug, defect and flaw. The author gave a definition for each of them but I couldn't completely understand these.

Can someone give me some examples for each term?

What is a defect and what is a flaw? I think I know what bug is, a bug is a malfunction of a part of system which produces undesirable result, be it crashing on a wrong input or miscalculating a series of computations.

Can someone elaborate more and correct me if I am wrong in this?

UPDATE
To be more precise in the book I mentioned above, they (the words) are presented in a way to make a distinction, that's why I am asking to know more.

In that book there are some examples denoting which sample belongs to what and which category.

For example:

Buffer overflow is said to be a bug and issues in method overriding (subclassing issues) is being related to flaw category.

Again race condition handling issues are considered bugs and Error-handling problems (fails open) are told to be flaws!

I want more elaboration on these regards.

gnat
  • 21,442
  • 29
  • 112
  • 288
Hossein
  • 207
  • 3
  • 10
  • I have seen that question earlier, this is a different one, i explained more on the first answers comment. – Hossein Oct 27 '13 at 15:04

2 Answers2

5

The terms that are defined in Software Security: Building Security In are simply the author's definitions of the terms. There are different definitions of the terms, as pointed out in another question here on Programmers. Different sources will use different terms to mean different things - it's why the author in this particular case is choosing to define and give examples of the kinds of problems he means when he uses them.

In short, the book uses "defect" to mean any design or implementation flaw or problem, "bug" to mean implementation problems (including those that may exist in code paths not executed), and "flaw" refers to an issue that is manifested in implementation but may stem from design. Bugs and flaws appear to both be specific types of defects.

Personally, I find these confusing and very much prefer the definitions provided in dukeofgaming's answer on the other question, which is rooted in the IEEE definitions of the terms.

Community
  • 1
Thomas Owens
  • 79,623
  • 18
  • 192
  • 283
1

They are the same thing. Making a distinction between them serves no purpose. They all represent defects in the code. Either the code is correct or it is wrong. If it is wrong, it's a defect. Both "bug" and "flaw" simply water-down the meaning of the word "defect".

Use "defect", so you don't end up in long conversations about whether it is a defect, flaw or bug, instead of simply fixing it and moving on.

Bryan Oakley
  • 25,192
  • 5
  • 64
  • 89
  • In the book i mentioned above, they are presented in a way to make a distinction, thats why i am asking to know more. in that book there are some examples denoting which sample belongs to what and which category. eg: buffer overflow is said to be a bug! and issues in method over riding (sub classing issues) is being related to flaw category. again race condition handling issues are considered bugs and Error-handling problems (fails open) are told to be flaws! . I want more elaboration on these regards please . And by the way thanks a million for your reply;) – Hossein Oct 27 '13 at 15:03