WebApp Sec mailing list archives
RE: Code Complexity vs. Security
From: "Michael Silk" <michaels () phg com au>
Date: Tue, 27 Jul 2004 12:58:30 +1000
Hi Skip, Of course, insecure design is a major issue too, but "metrics" don't measure that - I was commenting on the user of LOC or Cyclometric Complexity to measure your security effectiveness ("complexity") and how it seems not very wise to esimate complexity based on the larger sized code. And especially for buffer overflows, most of these could be avoided if the programmer decided to actually *check* the value he was passing to the allocate function (i.e. more code, hence metric-finder would call it less secure ;)). -- Michael -----Original Message----- From: Skip Carter [mailto:skip () taygeta com] Sent: Tuesday, 27 July 2004 7:48 AM To: webappsec () securityfocus com Subject: Re: Code Complexity vs. Security
I would suggest that almost all programming errors (and hence security problems) come from some programmer attempting to be "smart" and reduce the size of his/her code.
Hmmm. While I agree that ill considered programming cleverness is one source of problems. But there seems to be an entire class of security issues that have nothing to do with bugs but with an insecure design. Consider an absolutely bug-free program that controls access to a database via a text file using ROT-13 encryption. Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
Current thread:
- Re: Code Complexity vs. Security, (continued)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Stan Guzik (Jul 27)
- Re: Code Complexity vs. Security Martin Mačok (Jul 28)