- Security bugs are profitable, casual bugs are not. Nobody needs to reproduce 'a random spectacular crash due to bad locking' intentionally — that does not make any sense. Functional and reliability issues may happen occasionally. Often, they happen predictably. But none of them happen with intention (unless you're a software tester). So, whenever a casual bug appears, some part of users are affected (that depends on the feature popularity). Whenever a security hole exists, the chances are high, that most of the users are under the threat.
- Casual bugs are visible, security bugs are not. When a casual bug appears, it affects how system works, otherwise, nobody would report the bug. It breaks the user's explicit expectations. With security, the expectations are usually implicit or are entirely connected with what they call 'security features' (authentication, authorization, cryptography). Nobody complains about security bugs, system continues to work.
Tuesday 22 July 2008
Why Security Bugs Are Different
There is a couple of good reasons why security bugs are worse than the 'boring normal' (non-security) ones.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment