Computer Security Badness Hierarchy
Yesterday's "big news" was the Top-25 list of common programming errors published by SANS. Today, Lori MacVittie (@lmacvittie) asked the question "Hmmm... am feeling need to create a visual diagram of the relationships between the errs listed by SANS. How many result from same base err?"
I responded to that question with the following: "between bad coding, bad configuration and bad users; how many other basic error categories can you come up with?" At this point, Michael Santarcangelo (@catalyst) joined the conversation by pointing out that he does not feel comfortable with the label "bad" - especially for users, but also for code.
While I agree with this observation, my use of the word "bad" was
deliberate. Not only is "bad" easy to comprehend and easy to remember,
it is also a broad enough term to cover many different aspects.
Rephrasing my list of three elements to vulnerable code, insecure
configurations, and unaware users" may be less accusatory, but it is
also much more specific.
For example, "bad users"
encompasses unaware users, but it also captures users who are
deliberately trying to exceed their authorizations.
Ryan Russel (@ryanlrussel) also chimed in with the suggestion "Bad Ideas". By doing that, he trumped the entire discussion ;)
Putting it all together, we get the following:
Mapping this graph to the SANS top 25 is fairly easily done, but
exceeds my powerpoint abilities to effectively convey this by far.