Although proposals were made three decades ago to build static analysis tools to either assist software security evaluations or to find security flaws, it is only recently that static analysis and model checking technology has reached the point where such tooling has become feasible. In order to target their technology on a rational basis, it would be useful for tool-builders to have available a taxonomy of software security flaws organizing the problem space. Unfortunately, the only existing suitable taxonomies are sadly out-of-date, and do not adequately represent security flaws that are found in modern software.In our work, we have coalesced previous efforts to categorize security problems as well as incident reports in order to create a security flaw taxonomy. We correlate this taxonomy with available information about current high-priority security threats, and make observations regarding the results. We suggest that this taxonomy is suitable for tool developers and to outline possible areas of future research.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, S. Tukubo, and D. A. Webb. Security analysis and enhancements of computer operating systems. NBSIR 76--1041, The RISOS Project, Lawrence Livermore Laboratory, Livermore, CA, USA, Apr. 1976. Published by the Institute for Computer Sciences and Technology, National Bureau of Standards, Washington, DC, USA.
	2	Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), 8 November 1996. URL: http://www.phrack.org/show.php?p=49&a=14.
	3	E. A. Anderson. Demonstration of the subversion threat: Facing a critical responsibility in the defense of cyberspace. Master's thesis. Naval Postgraduate School. Mar. 2002.
	4	E. A. Anderson, C. E. Irvine, and R. R. Schell. Subversion as a threat in information warfare. Journal of Information Warfare, 3:51 -- 64, 2004.
	5	J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, Vols. I and II, James P. Anderson and Co., Fort Washington, PA, USA, HQ Electronic Systems Division, Hanscom AFB, MA, USA, Oct. 1972. URL:http://csrc.nist.gov/publications/history/ande72.pdf.
	6	Ken Ashcraft , Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.143, May 12-15, 2002
	7	T. Aslam. A taxonomy of security faults in the UNIX operating system. Master's thesis, Purdue University, Aug. 1995.
	8	T. Aslam, I. Krsul, and E. H. Spafford. Use of a taxonomy of security faults. In Proc. 19th NIST-NCSC National Information Systems Security Conference, pages 551--560, 1996.
	9	R. Bisbey and D. Hollingworth. Protection analysis: Final report. Technical Report ISI/SR-78-13, Information Sciences Institute, University of Southern California, Marina del Rey, CA, May 1978. URL:http://csrc.nist.gov/publications/history/bisb78.pdf.
	10	M. Bishop and D. Bailey. A critical analysis of vulnerability taxonomies. Technical Report CSE-96-11, Department of Computer Science at the University of California at Davis, Sept. 1996.
	11	Frederick P. Brooks, Jr., The mythical man-month (anniversary ed.), Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1995
	12	M. G. Carter, S. B. Lipner, and P. A. Karger. Protecting data & information: A workshop in computer & data security. Technical Report EY-AX00080-SM-001, Digital Equipment Corporation, Maynard, MA, 1982.
	13	Changeable constants. The RISKS Digest: Forum On Risks To The Public In Computers And Related Systems, 16(38), 2 September 1994. URL: http://catless.ncl.ac.uk/Risks/16.38.html.
	14	Hao Chen , David Wagner, MOPS: an infrastructure for examining security properties of software, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586142]
	15	B. Hebbard , P. Grosso , T. Baldridge , C. Chan , D. Fishman , P. Goshgarian , T. Hilton , J. Hoshen , K. Hoult , G. Huntley , M. Stolarchuk , L. Warner, A penetration analysis of the Michigan Terminal System, ACM SIGOPS Operating Systems Review, v.14 n.1, p.7-20, January 1980  [doi>10.1145/850693.850694]
	16	John Douglas Howard, An analysis of security incidents on the Internet 1989-1995, Carnegie Mellon University, Pittsburgh, PA, 1998
	17	Michael Howard , David Leblanc , Brian Valentine, Writing Secure Code, Microsoft Press, Redmond, WA, 2001
	18	P. A. Karger. Network security: Threats and solutions. In The Internet and Telecommunications: Architectures, Technologies, and Business Developments, pages 127--133. International Engineering Consortium, Chicago, IL, 1998.
	19	P. A. Karger and R. R. Schell. Multics security evaluation: Vulnerability analysis. Technical Report ESD-TR-74-193, Vol. II, HQ Electronic Systems Division, Hanscom AFB, MA, USA, June 1974. URL: http://csrc.nist.gov/publications/history/karg74.pdf.
	20	P. A. Karger and J. C. Wray. Storage channels in disk arm optimization. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pages 52--61, Oakland, CA, 20--22 May 1991.
	21	Paul A. Karger , Mary Ellen Zurko , Douglas W. Bonin , Andrew H. Mason , Clifford E. Kahn, A Retrospective on the VAX VMM Security Kernel, IEEE Transactions on Software Engineering, v.17 n.11, p.1147-1165, November 1991  [doi>10.1109/32.106971]
	22	L. Lack. Using the bootstrap to build an adaptable and compact subversion artifice. Master's thesis, Naval Postgraduate School, June 2003.
	23	Carl E. Landwehr , Alan R. Bull , John P. McDermott , William S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys (CSUR), v.26 n.3, p.211-254, Sept. 1994  [doi>10.1145/185403.185412]
	24	Ulf Lindqvist , Erland Jonsson, How to Systematically Classify Computer Security Intrusions, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.154, May 04-07, 1997
	25	J. Murray. An exfiltration subversion demonstration. Master's thesis, Naval Postgraduate School, June 2003.
	26	T. Reed. At the Abyss: An Insider's History of the Cold War. Presidio Press, New York, 2004.
	27	SANS. The twenty most critical internet security vulnerabilities (version 5.0). web publication: http://www.sans.org/top20, Oct. 2004.
	28	Marvin Schaefer , Barry Gold , Richard Linde , John Scheid, Program confinement in KVM/370, Proceedings of the 1977 annual conference, p.404-410, January 1977  [doi>10.1145/800179.1124633]
	29	Michael D. Schroeder , Jerome H. Saltzer, A hardware architecture for implementing protection rings, Communications of the ACM, v.15 n.3, p.157-170, March 1972  [doi>10.1145/361268.361275]
	30	The Open Web Application Security Project. The ten most critical web application security vulnerabilities. Web publication: www.owasp.org, Jan. 2004.
	31	United States Department of Defense. Software assurance: mitigating software risks in the dod it and national security systems. Technical report, DoD OASD(NII) forwarded to Committee on National Security Systems (CNSS), Oct. 2004.
	32	M. Ward. The hidden dangers of documents: Dot.life - how technology changes us. BBC News - World Edition, 18 August 2003. URL: http://news.bbc.co.uk/2/hi/technology/3154479.stm.
	33	G. Weiss. Duping the soviets: The farewell dossier. Studies in Intelligence, 39(5), 1996. URL: http://www.odci.gov/csi/studies/96unclass/farewell.htm.
	34	Xiaolan Zhang , Antony Edwards , Trent Jaeger, Using CQUAL for Static Analysis of Authorization Hook Placement, Proceedings of the 11th USENIX Security Symposium, p.33-48, August 05-09, 2002

• ACM SIGSOFT Software Engineering Notes
  Volume 30 ,  Issue 4   July 2005