WebApp Sec mailing list archives
RE: Code Complexity vs. Security
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Mon, 26 Jul 2004 14:20:26 -0400
Very Interesting!... Even though the actual cost of the application could not (or could) be calculated exactly, having this weights per statement can be very useful for cost calculation. I was thinking this as an automated task by my favorite editor. That would be really cool... -----Original Message----- From: Wolf, Yonah [mailto:Yonah.Wolf () ujc org] Sent: Monday, July 26, 2004 11:20 AM To: webappsec () securityfocus com Subject: RE: Code Complexity vs. Security Although LOC is a definitely a good indicator, I think that there are definitely other metrics that are more telling: - Measure of inputs and outputs (more so the in then the out) is not so much a measure of complexity, but I imagine that if we give code more entry points, that then gives us additional elements that need to verify their input, which adds to the complexity of security. By this token a highly-complicated program with a minimal number of inputs should be relatively more secure than a less complicated program with significantly more inputs. In plain english - a house with only one door is easier to protect than one with 50 windows. - I used to teach programmers a method called code cost - i.e. different methods are assigned different weights -'prices'- and that the most efficient code would be the one that costs the least. For example if it costs $5.00 to cache a dataset and $1.00 for every db call, then it is worth it to cache the DB call if the data will be used more than 5 times - or - if each IF costs $0.25, consolidate your logic to eliminate unnecessary IFs. (This isn't the easiest example to use if you don't have a concrete example). In this situation, the higher, the 'cost' the more complex the program is. It can also be inferred that more 'expensive' programs are in fact, more expensive, as they will require more effort to develop and maintain, and may take longer to debug as it will might be harder to isolate the problem.
Current thread:
- Re: Code Complexity vs. Security, (continued)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Message not available
- Re: Code Complexity vs. Security David King (Jul 25)
- Re: Code Complexity vs. Security Suha Demir CAN (Jul 25)
- Re: Code Complexity vs. Security athena (Jul 26)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- Message not available
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- Re: Code Complexity vs. Security Martin Mačok (Jul 28)