摘要： 软件漏洞是发生安全事件的根源，当软件漏洞被利用时，会造成严重的后果。对CERT或者SANS公布的漏洞进行的分析表明：许多漏洞都归因于软件开发人员反复地犯同一类错误。该文对软件漏洞的起因进行分类，应用领域包括：开发人员的使用指南（以避免犯共性的错误），软件工程专业学生的教学素材，以及软件测试人员或审计人员的“项目核查清单”。

关键词: 软件漏洞, 分类法, 完全介入, 特征冲突

Abstract: The vulnerabilities of software are the root of most security incident. When these vulnerabilities can be exploited, this has a serious impact. Analysis of vulnerability alerts as distributed by organizations like CERT or SANS shows that many vulnerabilities can be attributed to the same mistakes made by developers. This paper proposes a structured taxonomy of the origins of software vulnerabilities. Such a taxonomy can be used as an aid for developers to avoid common pitfall, as didactical material for students in software engineering or as a “checklist” for software testers or auditors.

Key words: Software vulnerability, Taxonomy, Complete mediation, Feature interaction