Whats the difference between a “weakness” and a vulnerability?
A weakness is simply a general type of developer error, independent of the context that the error occurs in. Sometimes, it might not have any security relevance at all. However, when the weakness appears in deployed software, and it’s in a place in code that may be accessible to attackers, then it could turn into a vulnerability if the conditions are right. It might include the presence of other weaknesses, for example. Further complicating the issue are the diverse perspectives and inconsistent terminology that is used within software security, which is still a relatively new field (especially compared to, say, bridge engineering). People with different perspectives may use the same terminology, or concentrate on different aspects of a problem. For example, depending on the person speaking, the phrase “buffer overflow” could mean the type of programmer error, the type of attack, or the type of consequence. CWE (and the Top 25) have to be usable to many people with these different pers
Related Questions
- What is the difference between IWLs SNMP Vulnerability tests and the free tests available from the University of Oulu?
- What is the difference between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
- What is the difference between vulnerability analysis systems and intrusion detection systems?
