Re: [SystemSafety] Analyses of root causes.

From: Steve Tockey < >
Date: Sat, 27 Jun 2015 11:42:33 +0000

Does this help?

WASC Threat Classification, Version 2.0, Web Applications Security Consortium, Jan, 2010. and

It's the Web Apps Security Consortium's "Threat Catalog". It talks about recognized security threat vectors commonly used against web applications. Some of the threat vectors are web specific, but many are not.


From: Martyn Thomas <martyn_at_xxxxxx Date: Saturday, June 27, 2015 3:53 AM
Subject: Re: [SystemSafety] Analyses of root causes.

Thanks, Drew, but what I'd really like to find are papers that go into details at the level of "buffer overflow", "untrapped exception", "SQL injection" etc - where the failure to do acceptable software engineering is evident.


On 27/06/2015 11:33, Drew Rae wrote:

Without trying to start an argument likely to go nowhere on this list, "most common" is only a question that can be answered with respect to attribution rather than cause.

Here's a sample of papers that might fit your requirements.

There's the Lutz 1993 paper "Analyzing software requirements errors in safety-critical, embedded systems" that tries to classify software errors.

There's a paper by one of my MSc Students Barton & Rae 2012 "Unplugged perils, lost hazards and failed mitigations" that tries to classify problems in the safety lifecycle based on whether the physical hazard was unidentified, or whether it was identified but still led to an accident.

There's a series of papers by Chris Johnson and Michael Holloway looking at Maritime and Aviation accident reports: e.g. "Distribution of Causes in Selected US Aviation Accident Reports between 1996 and 2003"

Of these, the Lutz and Barton papers take a fairly positivist view that you can identify the "underlying errors" in hindsight. The Lutz paper is a product of its time, and doesn't distinguish between categorisation and causation. The Barton paper is a bit more cautious, since it focuses on whether things were known, rather than whether they should have been known.

The Johnson and Holloway papers are more candid about the fact that they can't distinguish patterns in causation from patterns in attribution.


On 27/06/2015, at 8:03 PM, Martyn Thomas wrote:

Can anyone give me a link to any published analyses that identify the most common underlying errors in software (or systems) engineering that have led to exploitable security vulnerabilities or to safety-related failures?


The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sat Jun 27 2015 - 13:42:47 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST