5

The Microsoft SDLC model decomposed the requirement phase into different practices, one of which is creating quality gates/ bug bar, where each identified bug should be classified into client or server bugs. Could you please explain to me what is the difference between client and server bugs?

In addition, Microsoft also emphasized that we must know whether the bug affects client-side code or server-side code, Could you also explain to me the difference between the client-side code and server-side code?

For example, in the instant messaging server and client, the Man-in-the-middle attack is classified as client or server bug, and it affects the client-side code and server-side code?

user3011084
  • 529
  • 1
  • 3
  • 8

2 Answers2

7

Client bugs are bugs residing in client side programs used to connect or interact with the server:

Client: Either software that runs locally on a single computer or software that accesses shared resources provided by a server over a network.

Server: Computer that is configured to run software that awaits and fulfills requests from client processes that run on other computers.

The difference between client and server side code depends on where the code is executed. So either in the client program or in the server.

Your example can cover both server and client-side bugs:

  • Server doesn't offer MiTM prevention through (for instance) SSL
  • Client doesn't verify the certificate prior to setting up an encrypted tunnel

It can even be a combination of both server and client side code.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
3

Client Side - the attacks to which client intervention would be needed. These are particularly users or any client code e.g. javascript, etc.. at flaw. All impacts are client side and doesn't affect your server data or the server state.

Server Side - the attacks to which server state or server data is compromised, this in turn will mean a server side code i.e. php (processor), etc. or one of it's component coded inhouse or been deployed opensource is compromised and hence an attacker can now compromise or escalate this to complete individual networked host compromises.

Generally server side attacks are more severe in nature than the client side since in client side a 3rd party or user intervention is needed. Client is anything which the end users has to take care of. Server is anything which a sysadmin takes care of. MiTM is a client side hooking attack since a man in the middle hijacks the traffic and then redirects or harvests the same in order to gain into an account or replay the same traffic to utilize it in a certain way.

Shritam Bhowmick
  • 1,602
  • 14
  • 28