Security Bugs Are Fundamentally Different Than Quality Bugs
This topic has come up a few times this year in question period: arguments that quality bugs and security bugs “have equal value,” that security testing and QA are “the same thing,” that security testing should “just be performed by QA” and that “there’s no specific skillset” required to do security testing versus QA. This article will explain why I fundamentally disagree with all of those statements.
First, some definitions.
A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
A security bug is specifically a bug that causes a vulnerability. A vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system.
Someone is wearing camouflage. — #MSIgniteTheTour, Toronto, 2019