discussion

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Authors:

Katrina Tsipenyuk,

Brian Chess,

Gary McGrawAuthors Info & Claims

IEEE Security and Privacy, Volume 3, Issue 6

Pages 81 - 84

Published: 01 November 2005 Publication History

Publisher Site

Abstract

Taxonomies can help software developers and security practitioners understand the common coding mistakes that affect security. The goal is to help developers avoid making these mistakes and more readily identify security problems whenever possible. Because developers today are by and large unaware of the security problems they can (unknowingly) introduce into code, a taxonomy of coding errors should provide a real tangible benefit to the software security community.

References

[1]

G. Hoglund and G. McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.

Digital Library

Google Scholar

[2]

G. Miller, The Magic Number Seven, Plus or Minus Two,The Psychological Rev ., vol. 63, 1956, pp. 81–97;

Crossref

Google Scholar

[3]

M. Howard, D. LeBlanc, and J. Viega, 19 Deadly Sins of Software Security, McGraw-Hill, 2005.

Digital Library

Google Scholar

[4]

K. Tsipenyuk, B. Chess, and G. McGraw, "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors," to be published in Proc. NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics (SSATTM), US Nat'l Inst. Standards and Technology, 2005.

Google Scholar

Cited By

View all

Braz LFregnan EÇalikli GBacchelli A(2021)Why Don't Developers Detect Improper Input Validation?'Proceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00054(499-511)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00054
Keirsgieter WVisser W(2020)Graft: Static Analysis of Java Bytecode with Graph DatabasesConference of the South African Institute of Computer Scientists and Information Technologists 202010.1145/3410886.3410901(217-226)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1145/3410886.3410901
Oliveira DLin TRahman MAkefirad REllis DPerez EBobhate RDeLong LCappos JBrun YEbner N(2018)API blindspotsProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291253(315-328)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291253
Show More Cited By

Index Terms

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Recommendations

An ontology-based taxonomy of bad code smells
ACST'07: Proceedings of the third conference on IASTED International Conference: Advances in Computer Science and Technology

"Bad code smell" or "spaghetti code" is a jargon used among programmers to refer to source code that is difficult to maintain, evolve, and change. We consider them as symptoms of poor software engineering practice. This paper presents an application of ...
Super Mario in the Pernicious Kingdoms: Classifying glitches in old games
GAS '24: Proceedings of the ACM/IEEE 8th International Workshop on Games and Software Engineering

In a case study spanning four classic Super Mario games and the analysis of 237 known glitches within them, we classify a variety of weaknesses that are exploited by speedrunners to enable them to beat games quickly and in surprising ways. Using the ...
Taxonomy of inline code comment smells
Abstract
Code comments play a vital role in source code comprehension and software maintainability. It is common for developers to write comments to explain a code snippet, and commenting code is generally considered a good practice in software ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

IEEE Security and Privacy Volume 3, Issue 6

November 2005

93 pages

ISSN:1540-7993

Issue’s Table of Contents

Publisher

IEEE Educational Activities Department

United States

Publication History

Published: 01 November 2005

Author Tags

Qualifiers

Discussion

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Braz LFregnan EÇalikli GBacchelli A(2021)Why Don't Developers Detect Improper Input Validation?'Proceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00054(499-511)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00054
Keirsgieter WVisser W(2020)Graft: Static Analysis of Java Bytecode with Graph DatabasesConference of the South African Institute of Computer Scientists and Information Technologists 202010.1145/3410886.3410901(217-226)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1145/3410886.3410901
Oliveira DLin TRahman MAkefirad REllis DPerez EBobhate RDeLong LCappos JBrun YEbner N(2018)API blindspotsProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291253(315-328)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291253
Monperrus M(2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
https://dl.acm.org/doi/10.1145/3105906
(2017)Attack surface-based security metric framework for service selection and compositionInternational Journal of Autonomous and Adaptive Communications Systems10.1504/IJAACS.2017.08274110:1(88-113)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1504/IJAACS.2017.082741
Taylor BKaza S(2016)Security Injections@TowsonACM Transactions on Computing Education10.1145/289744116:4(1-20)Online publication date: 9-Jun-2016
https://dl.acm.org/doi/10.1145/2897441
Bayati SDillon LVisser WWilliams L(2016)Security expert recommender in software engineeringProceedings of the 38th International Conference on Software Engineering Companion10.1145/2889160.2892648(719-721)Online publication date: 14-May-2016
https://dl.acm.org/doi/10.1145/2889160.2892648
Deepa GThilagam P(2016)Securing web applications from injection and logic vulnerabilitiesInformation and Software Technology10.1016/j.infsof.2016.02.00574:C(160-180)Online publication date: 1-Jun-2016
https://dl.acm.org/doi/10.1016/j.infsof.2016.02.005
Shastry BYamaguchi FRieck KSeifert J(2016)Towards Vulnerability Discovery Using Staged Program AnalysisProceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 972110.1007/978-3-319-40667-1_5(78-97)Online publication date: 7-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40667-1_5
Bayati SHeidary M(2016)Information Security in Software Engineering, Analysis of Developers Communications About Security in Social Q&A WebsiteProceedings of the 11th Pacific Asia Workshop on Intelligence and Security Informatics - Volume 965010.1007/978-3-319-31863-9_14(193-202)Online publication date: 19-Apr-2016
https://dl.acm.org/doi/10.1007/978-3-319-31863-9_14
Show More Cited By

Abstract

References

Cited By

Index Terms

Recommendations

An ontology-based taxonomy of bad code smells

Super Mario in the Pernicious Kingdoms: Classifying glitches in old games

Taxonomy of inline code comment smells

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations