Microsoft Pushes Secure, Quality Code

[gem at cigital.com (Gary McGraw)]

Not surprising.  Last time I looked, attack surface is subjective.  McCabe is not.  BTW, McCabe's Cyclomatic complexity 
boils down to 85% lines of code and 15% data flow if you do a principal component analysis on it.  Just throw the code 
in the box and turn the crank.  Then discard the results and you're done!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.clom/justiceleague
book www.swsec.com

-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Steven M. Christey
Sent: Monday, October 08, 2007 1:15 PM
To: Secure Coding
Subject: Re: [SC-L] Microsoft Pushes Secure, Quality Code


Interesting that attack surface isn't included, given that Microsoft was one of the earliest advocates of attack 
surface, a metric that is likely strongly associated with the number of input-related vulnerabilities.
It's probably hard to do perfectly, though, especially if any third-party APIs are involved.

Are there any tools out there that try to measure attack surface?  Has anybody had any experience in trying to apply it?

- Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - 
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the 
software security community.
_______________________________________________