3

I am trying to make the link between faults and weaknesses (As defined by Common Weaknesses Enumeration).

The word "fault" is generally used in the reliability domain, to designate the cause of an error i.e., the cause of the deviation from a correct service delivered by a system to an incorrect service.

The word "weakness" is widely used in the cybersecurity community, however, its meaning is not always clear. From my readings, a weakness is defined as a mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. A vulnerability being the occurrence of a weakness in a system.

I am trying to put into relation these two concepts (faults and weaknesses), to create a relation between reliability and security. From my observations, it is fair to say that a weakness is caused by a fault. When you consider a weakness such as "incorrect privilege assignment", it is clear that this could happen only because of a bad development of your system, which can be classified as a development fault.

In my opinion, if a development fault is not a weakness (i.e., cannot lead to any vulnerability), it means that the part of your system where the fault resides is not useful, hence could be removed.

Are all development faults weaknesses? Else, do you have a concrete counterexample?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ecterion
  • 103
  • 7
  • I don't think these are standard terms. A weakness could easily mean any security measure which is not performing optimally, not necessarily a result of mistakes in software. It is used informally. There are other terms which have [formal definitions](https://www.iso.org/standard/73906.html), like incident, event, attack, threat, etc. – forest Dec 11 '18 at 09:26
  • The definition I gave you come from CVE and CWE. The word "weakness" is widely used in SP series (NIST standard for information security) and ISO27000 series. And many definitions in the glossary of these standards rely on the word "weakness". So this is a pretty standard term I would say. An incident, threat, attack ... are terms that are not directly related to my question. All are used to express and intentional or unintentional way to exploit a vulnerability (security speaking). edit: did not mean to offend you but it is strange that this word is "informal" when it is so broadly used. – Ecterion Dec 11 '18 at 09:30
  • My point is that there is no one meaning unless are asking how it is defined according to a specific standard. So yes, "weakness" is widely used in information security, but unless you specify a standard, it means many things. – forest Dec 11 '18 at 09:33
  • 1
    I get your point, I will precise the above text in that case. – Ecterion Dec 11 '18 at 09:36
  • 1
    Related: https://security.stackexchange.com/questions/192080/difference-between-weakness-and-vulnerability. Also `faults` are a subset of `weaknesses` see [here](https://cwe.mitre.org/about/faq.html#B.2) – Tom K. Dec 11 '18 at 12:44

1 Answers1

1

This is a difficult question because it is difficult to define a weakness exactly, since the definition involves a considerable amount of speculation: it's something that might lead to a vulnerability. There are a lot of bugs that can be considered weaknesses. CWE says that a weakness is (emphasis added):

a type of mistake that, in proper conditions, could contribute to the introduction of vulnerabilities within that product. This term applies to mistakes regardless of whether they occur in implementation, design, or other phases of a product lifecycle.

And if you take a look at the lists of weaknesses on CWE's website, you will see that it includes a lot of generic mistakes and bad practices. Even a program that works perfectly without any functional bugs might be full of weaknesses under the hood. For example, in the list of weaknesses I have found the following interesting entries:

  • Use of deprecated of obsolete functions
  • Use of redundant code
  • Incomplete documentation
  • Insufficient logging
  • Logging of excessive data
  • Empty code block
  • Incorrect calculation

So it sounds like anything that is implemented in a less than ideal way is going to be a weakness after all. Is every bug a weakness then? The answer is probably yes, as long as it occurs in an application or in a context where security is important. A glitch in an offline single-player arcade game? Not a weakness in my opinion. Code smell in an e-commerce application? That's probably a weakness, also according to CWE.

schroeder
  • 123,438
  • 55
  • 284
  • 319
reed
  • 15,398
  • 6
  • 43
  • 64