摘要: An organized record of actual flaws can be useful to designers, implementors, and evaluators of computer systems. This paper provides a taxonomy for computer program security flaws together with an appendix that carefully document... 展开 An organized record of actual flaws can be useful to designers, implementors, and evaluators of computer systems. This paper provides a taxonomy for computer program security flaws together with an appendix that carefully documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they can arise. Because these flaws were not randomly selected from a valid statistical sample of such flaws, we make no strong claims concerning the likely distribution of actual security flaws within the taxonomy. However, this taxonomy can be used to organize and abstract more representative samples. Data organized this way could be used to focus efforts to remove security flaws and prevent their introduction. Security and protection, Security flaw, Access controls, Error/defect classification. 收起