[SC-L] Bugs and flaws
Brian Chess
brian at fortifysoftware.com
Fri Feb 3 20:51:41 EST 2006
The best definition for "flaw" and "bug" I've heard so far is that a flaw is
a successful implementation of your intent, while a bug is unintentional. I
think I've also heard "a bug is small", a flaw is big", but that definition
is awfully squishy.
If the difference between a bug and a flaw is indeed one of intent, then I
don't think it's a useful distinction. Intent rarely brings with it other
dependable characteristics.
I've also heard "bugs are things that a static analysis tool can find", but
I don't think that really captures it either. For example, it's easy for a
static analysis tool to point out that the following Java statement implies
that the program is using weak cryptography:
SecretKey key = KeyGenerator.getInstance("DES").generateKey();
Brian
More information about the SC-L
mailing list