Defecto en un programa a nivel de arquitectura o
diseño. Estos defectos pueden no ser evidentes examinando únicamente el código
fuente.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Error of commission,
omission, or oversight in an information system that may allow protection
mechanisms to be bypassed. [CNSSI_4009:2010]
A software security defect
at the architecture or design level. Flaws may not be apparent given only
source code of a software system.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Flaws are software problems
that exist in the software design. A flaw may or may not represent a
vulnerability in the underlying software. Mitigating a flaw typically involves
significantly more effort than simply modifying a few lines of code. The
problem does not lie solely in the implementation; the underlying design is
flawed, and therefore, any implementation that follows the design would contain
the flaw. For instance, performing sensitive business logic in an untrusted
client application is a design flaw that cannot be mitigated by a simple
measure such as modifying array bounds.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html