- 863
- 238
Flaws and vulnerabilities are perhaps the easiest two security defects to mix up, leading many security professionals to wonder what exactly is the difference between the two.
To put it simply, a flaw is an implementation defect that can lead to a vulnerability, and a vulnerability is an exploitable condition within your code that allows an attacker to attack. So, just because a flaw isn’t a vulnerability at the present moment, it doesn’t mean that it can’t become one in the future as environments and architectures change or get updated. Any updates to the architecture or changes in the function of your application can expose your application to attacks that were previously hidden.
Once someone has figured out a way to attack – or exploit – a flaw, the flaw becomes a vulnerability. If you’re still confused, think of it this way: all vulnerabilities are flaws, but not all flaws are vulnerabilities. All flaws have the potential to become vulnerabilities.
For some guidance when it comes to flaws, a helpful resource is MITRE’s Common Weakness Enumeration (CWE) list, which provides a common baseline standard for identifying different classes of weaknesses within application structures that can result in possible vulnerabilities.
Only when there is a realization of a structural defect that can allow for an attack to occur does a vulnerability arise. Vulnerabilities, similarly to flaws, are categorized by MITRE’s Common Vulnerabilities and Exposures (CVE) list. Generally, when we’re looking at CVE entries, these are recognized, publicly-known cybersecurity vulnerabilities within existing codebases. Additionally, you could reference the National Institute of Standards and Technology’s National Vulnerability Database (NVD), which is updated whenever a new vulnerability is added to the CVE dictionary of vulnerabilities. The NVD supplements the CVE list by conducting additional analysis on the vulnerabilities, and by determining the impact that vulnerabilities can have on an organization
To put it simply, a flaw is an implementation defect that can lead to a vulnerability, and a vulnerability is an exploitable condition within your code that allows an attacker to attack. So, just because a flaw isn’t a vulnerability at the present moment, it doesn’t mean that it can’t become one in the future as environments and architectures change or get updated. Any updates to the architecture or changes in the function of your application can expose your application to attacks that were previously hidden.
Once someone has figured out a way to attack – or exploit – a flaw, the flaw becomes a vulnerability. If you’re still confused, think of it this way: all vulnerabilities are flaws, but not all flaws are vulnerabilities. All flaws have the potential to become vulnerabilities.
For some guidance when it comes to flaws, a helpful resource is MITRE’s Common Weakness Enumeration (CWE) list, which provides a common baseline standard for identifying different classes of weaknesses within application structures that can result in possible vulnerabilities.
Only when there is a realization of a structural defect that can allow for an attack to occur does a vulnerability arise. Vulnerabilities, similarly to flaws, are categorized by MITRE’s Common Vulnerabilities and Exposures (CVE) list. Generally, when we’re looking at CVE entries, these are recognized, publicly-known cybersecurity vulnerabilities within existing codebases. Additionally, you could reference the National Institute of Standards and Technology’s National Vulnerability Database (NVD), which is updated whenever a new vulnerability is added to the CVE dictionary of vulnerabilities. The NVD supplements the CVE list by conducting additional analysis on the vulnerabilities, and by determining the impact that vulnerabilities can have on an organization