{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T22:54:06Z","timestamp":1770504846226,"version":"3.49.0"},"reference-count":29,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2005,5,15]],"date-time":"2005-05-15T00:00:00Z","timestamp":1116115200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2005,7]]},"abstract":"<jats:p>Although proposals were made three decades ago to build static analysis tools to either assist software security evaluations or to find security flaws, it is only recently that static analysis and model checking technology has reached the point where such tooling has become feasible. In order to target their technology on a rational basis, it would be useful for tool-builders to have available a taxonomy of software security flaws organizing the problem space. Unfortunately, the only existing suitable taxonomies are sadly out-of-date, and do not adequately represent security flaws that are found in modern software.In our work, we have coalesced previous efforts to categorize security problems as well as incident reports in order to create a security flaw taxonomy. We correlate this taxonomy with available information about current high-priority security threats, and make observations regarding the results. We suggest that this taxonomy is suitable for tool developers and to outline possible areas of future research.<\/jats:p>","DOI":"10.1145\/1082983.1083209","type":"journal-article","created":{"date-parts":[[2005,11,7]],"date-time":"2005-11-07T19:28:32Z","timestamp":1131391712000},"page":"1-7","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["A software flaw taxonomy"],"prefix":"10.1145","volume":"30","author":[{"given":"Sam","family":"Weber","sequence":"first","affiliation":[{"name":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY"}]},{"given":"Paul A.","family":"Karger","sequence":"additional","affiliation":[{"name":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY"}]},{"given":"Amit","family":"Paradkar","sequence":"additional","affiliation":[{"name":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY"}]}],"member":"320","published-online":{"date-parts":[[2005,5,15]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"The RISOS Project","author":"Abbott R. P.","year":"1976","unstructured":"R. P. Abbott , J. S. Chin , J. E. Donnelley , W. L. Konigsford , S. Tukubo , and D. A. Webb . Security analysis and enhancements of computer operating systems. NBSIR 76--1041 , The RISOS Project , Lawrence Livermore Laboratory, Livermore, CA, USA , Apr. 1976 . Published by the Institute for Computer Sciences and Technology, National Bureau of Standards , Washington, DC, USA. R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, S. Tukubo, and D. A. Webb. Security analysis and enhancements of computer operating systems. NBSIR 76--1041, The RISOS Project, Lawrence Livermore Laboratory, Livermore, CA, USA, Apr. 1976. Published by the Institute for Computer Sciences and Technology, National Bureau of Standards, Washington, DC, USA."},{"key":"e_1_2_1_2_1","volume-title":"Smashing the stack for fun and profit. Phrack, 7(49)","author":"One Aleph","year":"1996","unstructured":"Aleph One . Smashing the stack for fun and profit. Phrack, 7(49) , 8 November 1996 . URL : http:\/\/www.phrack.org\/show.php?p=49&a=14. Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), 8 November 1996. URL: http:\/\/www.phrack.org\/show.php?p=49&a=14."},{"key":"e_1_2_1_3_1","volume-title":"Demonstration of the subversion threat: Facing a critical responsibility in the defense of cyberspace. Master's thesis. Naval Postgraduate School","author":"Anderson E. A.","year":"2002","unstructured":"E. A. Anderson . Demonstration of the subversion threat: Facing a critical responsibility in the defense of cyberspace. Master's thesis. Naval Postgraduate School . Mar. 2002 . E. A. Anderson. Demonstration of the subversion threat: Facing a critical responsibility in the defense of cyberspace. Master's thesis. Naval Postgraduate School. Mar. 2002."},{"issue":"51","key":"e_1_2_1_4_1","first-page":"64","article-title":"Subversion as a threat in information warfare","volume":"3","author":"Anderson E. A.","year":"2004","unstructured":"E. A. Anderson , C. E. Irvine , and R. R. Schell . Subversion as a threat in information warfare . Journal of Information Warfare , 3 : 51 -- 64 , 2004 . E. A. Anderson, C. E. Irvine, and R. R. Schell. Subversion as a threat in information warfare. Journal of Information Warfare, 3:51 -- 64, 2004.","journal-title":"Journal of Information Warfare"},{"key":"e_1_2_1_6_1","volume-title":"IEEE Symposium on Security and Privacy","author":"Ashcraft K.","unstructured":"K. Ashcraft and D. Engler . Using programmer-written compiler extensions to catch security holes, May 2002 . In IEEE Symposium on Security and Privacy , Oakland, California. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes, May 2002. In IEEE Symposium on Security and Privacy, Oakland, California."},{"key":"e_1_2_1_7_1","volume-title":"A taxonomy of security faults in the UNIX operating system. Master's thesis","author":"Aslam T.","year":"1995","unstructured":"T. Aslam . A taxonomy of security faults in the UNIX operating system. Master's thesis , Purdue University , Aug. 1995 . T. Aslam. A taxonomy of security faults in the UNIX operating system. Master's thesis, Purdue University, Aug. 1995."},{"key":"e_1_2_1_8_1","first-page":"551","volume-title":"Proc. 19th NIST-NCSC National Information Systems Security Conference","author":"Aslam T.","year":"1996","unstructured":"T. Aslam , I. Krsul , and E. H. Spafford . Use of a taxonomy of security faults . In Proc. 19th NIST-NCSC National Information Systems Security Conference , pages 551 -- 560 , 1996 . T. Aslam, I. Krsul, and E. H. Spafford. Use of a taxonomy of security faults. In Proc. 19th NIST-NCSC National Information Systems Security Conference, pages 551--560, 1996."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.5555\/207583"},{"key":"e_1_2_1_13_1","volume-title":"The RISKS Digest: Forum On Risks To The Public In Computers And Related Systems, 16(38)","author":"Changeable","year":"1994","unstructured":"Changeable constants. The RISKS Digest: Forum On Risks To The Public In Computers And Related Systems, 16(38) , 2 September 1994 . URL : http:\/\/catless.ncl.ac.uk\/Risks\/16.38.html. Changeable constants. The RISKS Digest: Forum On Risks To The Public In Computers And Related Systems, 16(38), 2 September 1994. URL: http:\/\/catless.ncl.ac.uk\/Risks\/16.38.html."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586142"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/850693.850694"},{"key":"e_1_2_1_16_1","volume-title":"An Analysis Of Security Incidents On The Internet 1989 --","author":"Howard J. D.","year":"1995","unstructured":"J. D. Howard . An Analysis Of Security Incidents On The Internet 1989 -- 1995 . PhD thesis, Carnegie Mellon University , Apr. 1997. J. D. Howard. An Analysis Of Security Incidents On The Internet 1989 -- 1995. PhD thesis, Carnegie Mellon University, Apr. 1997."},{"key":"e_1_2_1_17_1","volume-title":"Writing Secure Code","author":"Howard M.","year":"2003","unstructured":"M. Howard and D. LeBlanc . Writing Secure Code . Microsoft Press , Redmond, WA , third edition, 2003 . M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, Redmond, WA, third edition, 2003."},{"key":"e_1_2_1_18_1","first-page":"127","volume-title":"The Internet and Telecommunications: Architectures, Technologies, and Business Developments","author":"Karger P. A.","year":"1998","unstructured":"P. A. Karger . Network security: Threats and solutions . In The Internet and Telecommunications: Architectures, Technologies, and Business Developments , pages 127 -- 133 . International Engineering Consortium , Chicago, IL , 1998 . P. A. Karger. Network security: Threats and solutions. In The Internet and Telecommunications: Architectures, Technologies, and Business Developments, pages 127--133. International Engineering Consortium, Chicago, IL, 1998."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/RISP.1991.130771"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.106971"},{"key":"e_1_2_1_22_1","volume-title":"Naval Postgraduate School","author":"Lack L.","year":"2003","unstructured":"L. Lack . Using the bootstrap to build an adaptable and compact subversion artifice. Master's thesis , Naval Postgraduate School , June 2003 . L. Lack. Using the bootstrap to build an adaptable and compact subversion artifice. Master's thesis, Naval Postgraduate School, June 2003."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/185403.185412"},{"key":"e_1_2_1_24_1","first-page":"154","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Lindquist U.","year":"1997","unstructured":"U. Lindquist and E. Jonsson . How to systematically classify computer security intrusions . In Proceedings of the IEEE Symposium on Security and Privacy , pages 154 -- 163 , 1997 . U. Lindquist and E. Jonsson. How to systematically classify computer security intrusions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154--163, 1997."},{"key":"e_1_2_1_25_1","volume-title":"Naval Postgraduate School","author":"Murray J.","year":"2003","unstructured":"J. Murray . An exfiltration subversion demonstration. Master's thesis , Naval Postgraduate School , June 2003 . J. Murray. An exfiltration subversion demonstration. Master's thesis, Naval Postgraduate School, June 2003."},{"key":"e_1_2_1_26_1","volume-title":"At the Abyss: An Insider's History of the Cold War","author":"Reed T.","year":"2004","unstructured":"T. Reed . At the Abyss: An Insider's History of the Cold War . Presidio Press , New York , 2004 . T. Reed. At the Abyss: An Insider's History of the Cold War. Presidio Press, New York, 2004."},{"key":"e_1_2_1_27_1","volume-title":"Oct.","author":"SANS.","year":"2004","unstructured":"SANS. The twenty most critical internet security vulnerabilities (version 5.0). web publication: http:\/\/www.sans.org\/top20 , Oct. 2004 . SANS. The twenty most critical internet security vulnerabilities (version 5.0). web publication: http:\/\/www.sans.org\/top20, Oct. 2004."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/800179.1124633"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/361268.361275"},{"key":"e_1_2_1_30_1","volume-title":"Jan.","author":"Web Application Security Project The Open","year":"2004","unstructured":"The Open Web Application Security Project . The ten most critical web application security vulnerabilities. Web publication: www.owasp.org , Jan. 2004 . The Open Web Application Security Project. The ten most critical web application security vulnerabilities. Web publication: www.owasp.org, Jan. 2004."},{"key":"e_1_2_1_31_1","volume-title":"DoD OASD(NII) forwarded to Committee on National Security Systems (CNSS)","author":"United States Department of Defense.","year":"2004","unstructured":"United States Department of Defense. Software assurance: mitigating software risks in the dod it and national security systems. Technical report , DoD OASD(NII) forwarded to Committee on National Security Systems (CNSS) , Oct. 2004 . United States Department of Defense. Software assurance: mitigating software risks in the dod it and national security systems. Technical report, DoD OASD(NII) forwarded to Committee on National Security Systems (CNSS), Oct. 2004."},{"key":"e_1_2_1_32_1","volume-title":"BBC News - World Edition","author":"Ward M.","year":"2003","unstructured":"M. Ward . The hidden dangers of documents: Dot.life - how technology changes us . BBC News - World Edition , 18 August 2003 . URL: http:\/\/news.bbc.co.uk\/2\/hi\/technology\/3154479.stm. M. Ward. The hidden dangers of documents: Dot.life - how technology changes us. BBC News - World Edition, 18 August 2003. URL: http:\/\/news.bbc.co.uk\/2\/hi\/technology\/3154479.stm."},{"key":"e_1_2_1_33_1","volume-title":"Duping the soviets: The farewell dossier. Studies in Intelligence, 39(5)","author":"Weiss G.","year":"1996","unstructured":"G. Weiss . Duping the soviets: The farewell dossier. Studies in Intelligence, 39(5) , 1996 . URL : http:\/\/www.odci.gov\/csi\/studies\/96unclass\/farewell.htm. G. Weiss. Duping the soviets: The farewell dossier. Studies in Intelligence, 39(5), 1996. URL: http:\/\/www.odci.gov\/csi\/studies\/96unclass\/farewell.htm."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/647253.720279"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083209","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1082983.1083209","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T16:08:05Z","timestamp":1750262885000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1082983.1083209"}},"subtitle":["aiming tools at security"],"short-title":[],"issued":{"date-parts":[[2005,5,15]]},"references-count":29,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2005,7]]}},"alternative-id":["10.1145\/1082983.1083209"],"URL":"https:\/\/doi.org\/10.1145\/1082983.1083209","relation":{"is-identical-to":[{"id-type":"doi","id":"10.1145\/1083200.1083209","asserted-by":"subject"}]},"ISSN":["0163-5948"],"issn-type":[{"value":"0163-5948","type":"print"}],"subject":[],"published":{"date-parts":[[2005,5,15]]},"assertion":[{"value":"2005-05-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}