Landwehr, C.E., A.R. Bull, J.P. McDermott, and W.S. Choi, "A Taxonomy of
Computer Program Security Flaws, with Examples," Naval Research Laboratory
Report, NRL/FR/5542--93/9591, Nov., 1993. Also in
ACM Computing Surveys.
PostScript
An organized record of actual flaws can be useful to designers,
implementors, and evaluators of computer systems. This paper provides
a taxonomy for computer program security flaws together with an
appendix that carefully documents 50 actual security flaws. These
flaws have all been described previously in the open literature, but in
widely separated places. For those new to the field of computer
security, they provide a good introduction to the characteristics of
security flaws and how they can arise. Because these flaws were not
randomly selected from a valid statistical sample of such flaws, we
make no strong claims concerning the likely distribution of actual
security flaws within the taxonomy. However, this method of organizing
security flaw data can help those who have custody of more
representative samples to organize them and to focus their efforts to
remove and, eventually, to prevent the introduction of security flaws.