Review of Software Security Defects Taxonomy

An organized list of actual defects can be useful for software security test (SST). In order to target their technology on a rational basis, it would be useful for security testers to have available a taxonomy of software security defects organizing the problem space. Unfortunately, the only existing suitable taxonomies are mostly for tool-builders and software designers, or based on vulnerabilities and security errors, and do not adequately represent security defects that are found in modern software. In our work, we have reviewed the traditional software security errors or vulnerabilities taxonomies. Based on analyzing in its target, motivation and insufficiency, we have compared 9 kinds of taxonomies, which would be useful for defects based software security testing.

[1]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[2]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[3]  S.T. Redwine,et al.  Processes for producing secure software , 2004, IEEE Security & Privacy Magazine.

[4]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[5]  Matt Bishop,et al.  A Critical Analysis of Vulnerability Taxonomies , 1996 .

[6]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[7]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[8]  Gary Mcgraw Software security , 2004, IEEE Security & Privacy Magazine.

[9]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[10]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[11]  Inderpal S. Bhandari,et al.  Orthogonal Defect Classification - A Concept for In-Process Measurements , 1992, IEEE Trans. Software Eng..

[12]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[13]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[14]  Hermann Kopetz,et al.  Dependability: Basic Concepts and Terminology , 1992 .

[15]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[16]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[18]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[19]  Richard R. Linde,et al.  Operating system penetration , 1975, AFIPS '75.

[20]  Amit M. Paradkar,et al.  A software flaw taxonomy: aiming tools at security , 2005, SOEN.