WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Code Complexity vs. Security

From: "Stan Guzik" <SGuzik () ImmediaTech com>
Date: Tue, 27 Jul 2004 09:05:06 -0400
This reminds me of big-O notation.  Anyone using big-O? 

http://www.nist.gov/dads/HTML/bigOnotation.html


-----Original Message-----
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
[mailto:juan.calderon () ge com] 
Sent: Monday, July 26, 2004 2:20 PM
To: Wolf, Yonah
Cc: webappsec () securityfocus com
Subject: RE: Code Complexity vs. Security

Very Interesting!...

Even though the actual cost of the application could not (or could) be
calculated exactly, having this weights per statement can be very useful
for cost calculation.

I was thinking this as an automated task by my favorite editor. That
would be really cool...


-----Original Message-----
From: Wolf, Yonah [mailto:Yonah.Wolf () ujc org]
Sent: Monday, July 26, 2004 11:20 AM
To: webappsec () securityfocus com
Subject: RE: Code Complexity vs. Security


Although LOC is a definitely a good indicator, I think that there are
definitely other metrics that are more telling:

- Measure of inputs and outputs (more so the in then the out) is not so
much a measure of complexity, but I imagine that if we give code more
entry points, that then gives us additional elements that need to verify
their input, which adds to the complexity of security. By this token a
highly-complicated program with a minimal number of inputs should be
relatively more secure than a less complicated program with
significantly more inputs. In plain english - a house with only one door
is easier to protect than one with 50 windows.

- I used to teach programmers a method called code cost - i.e. different
methods are assigned different weights -'prices'- and that the most
efficient code would be the one that costs the least. For example if it
costs $5.00 to cache a dataset and $1.00 for every db call, then it is
worth it to cache the DB call if the data will be used more than 5 times
- or - if each IF costs $0.25, consolidate your logic to eliminate
unnecessary IFs.  (This isn't the easiest example to use if you don't
have a concrete example). In this situation, the higher, the 'cost' the
more complex the program is. It can also be inferred that more
'expensive' programs are in fact, more expensive, as they will require
more effort to develop and maintain, and may take longer to debug as it
will might be harder to isolate the problem.
Previous By Date Next
Previous By Thread Next

Current thread: