Cost of provably-correct code

[peter.amey at praxis-his.com (Peter Amey)]

 [Re-send, I am not sure the first copy made it to the list]

> -----Original Message-----
> From: sc-l-bounces at securecoding.org
> [mailto:sc-l-bounces at securecoding.org
<mailto:sc-l-bounces at securecoding.org> ] On Behalf Of Crispin Cowan
> Sent: 21 July 2006 18:45
> To: mikeiscool
> Cc: SC-L at securecoding.org
> Subject: Re: [SC-L] bumper sticker slogan for secure software
>
> mikeiscool wrote:
> > On 7/21/06, Dana Epp <dana at vulscan.com> wrote:
> >
> > > > yeah.
> > > > but none of this changes the fact that it IS possible to
> write completely secure code.
> > > >
> > > And it IS possible that a man will walk on Mars someday. 
> But its not
> > > practical or realistic in the society we live in today. I'm sorry 
> > > mic, but I have to disagree with you here.
> > >
> > > It is EXTREMELY difficult to have code be 100% correct if an 
> > > application has any level of real use or complexity. There
> will be security defects.
> > >
> > Why? Why accept this as a fact? It is not a fact. If you put 
> > procedures in place and appropriately review and test you can be 
> > confident.

> Sorry, but it is a fact. Yes, you can have provably correct code. Cost

> is approximately $20,000 per line of code. That is what the 
> "procedures"
> required for correct code cost. Oh, and they are kind of super-linear,

> so one program of 200 lines costs more than 2 programs of 100 lines.

I would be fascinated to know where this figure comes from. Our
experience is that formal development methods, which at least offer the
possibility of defect-free software, are /cheaper/ as well as resulting
in lower rates of defect. At least one major organization, with rather a
strong interest in security, agrees with us (see:
http://www.praxis-his.com/news/TokeneerNews.asp
<http://www.praxis-his.com/news/TokeneerNews.asp>  or, for the full
paper, http://www.praxis-his.com/pdfs/issse2006tokeneer.pdf
<http://www.praxis-his.com/pdfs/issse2006tokeneer.pdf> ).

I think we have to /aim/ for zero defects and choose technical
approaches that make that aim credible. If we don't then what defect
rate shall we aim for and how will we know if we have achieved it? 

Of course, as good engineers, we should never allow ourselves the hubris
of /believing/ we have achieved zero defects but that doesn't invalidate
the aim. (Aircraft manufacturers do a great deal of mathematical
analysis of stresses in wings but still proof load test each new design;
they don't expect to find any problems because of the amount of analysis
they have done but, very occasionally, they do).

regards

 

Peter



**********************************************************************

This email is confidential and intended solely for the use of the individual to whom it is addressed.  If you are not 
the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or 
distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited.  If you have received 
this email in error please contact the sender.  Any views or opinions presented in this email are solely those of the 
author and do not necessarily represent those of Praxis High Integrity Systems Ltd (Praxis HIS). 

 Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is 
accepted by Praxis HIS or any of its associated companies for any loss or damage arising in any way from the receipt or 
use thereof.  The IT Department at Praxis HIS can be contacted at it.support at praxis-his.com

**********************************************************************