WebApp Sec mailing list archives

RE: Code Complexity vs. Security

From: "Michael Silk" <michaels () phg com au>
Date: Tue, 27 Jul 2004 12:58:30 +1000

Hi Skip,

        Of course, insecure design is a major issue too, but "metrics"
don't
        measure that - I was commenting on the user of LOC or
Cyclometric Complexity
        to measure your security effectiveness ("complexity") and how it
seems
        not very wise to esimate complexity based on the larger sized
code.

        And especially for buffer overflows, most of these could be
avoided if
        the programmer decided to actually *check* the value he was
passing to
        the allocate function (i.e. more code, hence metric-finder would
call
        it less secure ;)).

-- Michael

-----Original Message-----
From: Skip Carter [mailto:skip () taygeta com]
Sent: Tuesday, 27 July 2004 7:48 AM
To: webappsec () securityfocus com
Subject: Re: Code Complexity vs. Security

      I would suggest that almost all programming errors (and
      hence security problems) come from some programmer attempting
      to be "smart" and reduce the size of his/her code.


Hmmm.  While I agree that ill considered programming cleverness is one
source 
of
problems.  But there seems to be an entire class of security issues that
have 
nothing
to do with bugs but with an insecure design.  Consider an absolutely
bug-free 
program
that controls access to a database via a text file using ROT-13
encryption.





Skip



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            













This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.

Current thread:

Re: Code Complexity vs. Security, (continued)
- - - Re: Code Complexity vs. Security Ed Moyle (Jul 26)
    - RE: Code Complexity vs. Security Mark Curphey (Jul 25)
    - Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
  - Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Stan Guzik (Jul 27)
  - Re: Code Complexity vs. Security Martin Mačok (Jul 28)