[WEB SECURITY] What's the differences between weakness and vulnerability?

Christian Heinrich christian.heinrich at cmlh.id.au
Sun Nov 20 03:41:12 EST 2011


On Thu, Nov 10, 2011 at 3:30 PM, Steven M. Christey
<coley at rcf-smtp.mitre.org> wrote:
> A software weakness, as we use in CWE, is a property of
> software/systems that, under the right conditions, may permit
> unintended or unauthorized behavior.  For example, if a routine does
> not perform input validation, then it *might* permit unintended or
> unauthorized behavior.  (In the CWE world, we generally think of a CWE
> entry as a weakness "type.")

I prefer "vulture" i.e. a play on the words "vulnerability" and
"feature", which was suggested by Shawn Moyer and Nathan Hamiel at
Black Hat USA 2008 in their presentation was "Satan is on my Friends
List: Attacking Social Networks".

Christian Heinrich


More information about the websecurity mailing list