pernicious kingdoms

From Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

One of the first studies of computer security and privacy was the RISOS (Research Into Secure Operating Systems) project [in 1976]. RISOS proposed and described seven categories of operating system security defects...:

  • Incomplete Parameter Validation
  • Inconsistent Parameter Validation
  • Implicit Sharing of Privileges / Confidential Data
  • Asynchronous Validation / Inadequate Serialization
  • Inadequate Identification / Authentication / Authorization
  • Violable Prohibition / Limit
  • Exploitable Logic Error

The study shows that there are a small number of fundamental defects that recur in different contexts.

Heh. You could say that, yes. Here we are, 40 years later, dealing (or more often, failing to deal) with exactly the same problems. How long were people starting cars with hand cranks, ten years? Fifteen?

social