A TAXONOMY OF COMPUTER-PROGRAM SECURITY FLAWS

An organized record of actual flaws can be useful to computer system d esigners, programmers, analysts, administrators, and users. This surve y provides a taxonomy for computer program security flaws, with an App endix that documents 50 actual security flaws. These flaws have all be en described previously in the open literature, but in widely separate d places. For those new to the field of computer security, they provid e a good introduction to the characteristics of security flaws and how they can arise. Because these flaws were not randomly selected from a valid statistical sample of such flaws, we make no strong claims conc erning the likely distribution of actual security flaws within the tax onomy. However, this method of organizing security flaw data can help those who have custody of more representative samples to organize them and to focus their efforts to remove and, eventually, to prevent the introduction of security flaws.