[SystemSafety] Analyses of root causes.

Sat Jun 27 13:42:33 CEST 2015

Martyn,
Does this help?

WASC Threat Classification, Version 2.0, Web Applications Security Consortium, Jan, 2010.

http://www.webappsec.org and http://projects.webappsec.org/w/page/13246978/Threat%20Classification

It's the Web Apps Security Consortium's "Threat Catalog". It talks about recognized security threat vectors commonly used against web applications. Some of the threat vectors are web specific, but many are not.

Cheers,

-- steve

From: Martyn Thomas <martyn at thomas-associates.co.uk<mailto:martyn at thomas-associates.co.uk>>
Reply-To: "martyn at thomas-associates.co.uk<mailto:martyn at thomas-associates.co.uk>" <martyn at thomas-associates.co.uk<mailto:martyn at thomas-associates.co.uk>>
Date: Saturday, June 27, 2015 3:53 AM
Cc: "systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>" <systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>>
Subject: Re: [SystemSafety] Analyses of root causes.

Thanks, Drew, but what I'd really like to find are papers that go into details at the level of "buffer overflow", "untrapped exception", "SQL injection" etc - where the failure to do acceptable software engineering is evident.

Martyn

On 27/06/2015 11:33, Drew Rae wrote:
Martyn,

Without trying to start an argument likely to go nowhere on this list, "most common" is only a question that can be answered with respect to attribution rather than cause.

Here's a sample of papers that might fit your requirements.

There's the Lutz 1993 paper "Analyzing software requirements errors in safety-critical, embedded systems" that tries to classify software errors.

There's a paper by one of my MSc Students Barton & Rae 2012 "Unplugged perils, lost hazards and failed mitigations" that tries to classify problems in the safety lifecycle based on whether the physical hazard was unidentified, or whether it was identified but still led to an accident.

There's a series of papers by Chris Johnson and Michael Holloway looking at Maritime and Aviation accident reports: e.g. "Distribution of Causes in Selected US Aviation Accident Reports between 1996 and 2003"

Of these, the Lutz and Barton papers take a fairly positivist view that you can identify the "underlying errors" in hindsight. The Lutz paper is a product of its time, and doesn't distinguish between categorisation and causation. The Barton paper is a bit more cautious, since it focuses on whether things were known, rather than whether they should have been known.

The Johnson and Holloway papers are more candid about the fact that they can't distinguish patterns in causation from patterns in attribution.

Regards,
Drew

* This message is from my work email
* I can also be contacted on andrew at ajrae.com<mailto:andrew at ajrae.com>
* My mobile number is 0450 161 361
* My desk phone is 07 37359764
* My safety podcast is DisasterCast.co.uk<http://DisasterCast.co.uk>

On 27/06/2015, at 8:03 PM, Martyn Thomas wrote:

Can anyone give me a link to any published analyses that identify the most common underlying errors in software (or systems) engineering that have led to exploitable security vulnerabilities or to safety-related failures?

Martyn

_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE<mailto:systemsafety at TechFak.Uni-Bielefeld.DE>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150627/a430207f/attachment-0001.html>