WebApp Sec mailing list archives
Re: Code Complexity vs. Security
From: Suha Demir CAN <sdcan () gsu linux org tr>
Date: Sun, 25 Jul 2004 19:18:39 +0300 (EEST)
The authors state that (paraphrasing): "estimates are anywhere between 5 to 50 bugs per KLOC (thousand lines of code) in that book. The numbers corresponding to a system that has undergone rigourous quality assurance and a system that has only been feature tested, like most commercial software." they also include LOC counts for some software systems, Windows XP (40M), Space Station (40M), Linux (1,5M), Windows95 (<5M) etc I cant think of any code complexity metrics other than loc, and even that isnt most satisfying. Can anyone think of any general one ? IMHO, it wouldnt be wrong to think more locs more bugs, as a general guideline. The number and nature of entry points to the program can also have a value in determining the risk level the software is exposed to. Suha Demir Can ---------------------------------------------------------------------- "When the game is over, the king and the pawn go in the same box" -----> sdcan <----- GCS d? s:+>: a-- C++(++++)$ UL+++ P+ L+++ E---- W+(++) N+() o? K? w(---) !0 M-(+) !V PS+ PE- Y+ PGP t- 5? X-(+) R+(+++) tv b++ DI D+ G++ e+>++ h-(!) r* y+ ---------------------------------------------------------------------- On Sat, 24 Jul 2004, David King wrote:
I remember there was a section on this near the beginning of the book "Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw). If I remember right they site a couple of studies and they seem to believe the number of lines of code is the one of the best indicators of the number of bugs the software will have. Dave King www.thesecure.net On Sat, 24 Jul 2004 20:36:07 -0600, David King <davewking () gmail com> wrote:I remember in the book "Exploiting Software: How to Break Code" (Greg Hoglund and Gary McGraw) there was a section on this near the beginning of the book. If I remember right they site a couple of studies and they seem to believe the number of lines of code is the one of the best indicators of the number of bugs the software will have. Dave King www.thesecure.net On Fri, 23 Jul 2004 21:25:20 +0000, Gunnar Peterson <gunnar () arctecgroup net> wrote:Dan Geer's Blackhat Windows keynote talk last January charted lines of code against vulnerabilities over time. LOC is not complexity per se, but it is an indicator. Quoting Mark Curphey <mark () curphey com>:Has anyone seen any good studies that analytically compare the security quality of code to code complexity ?
Current thread:
- Code Complexity vs. Security Mark Curphey (Jul 23)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Message not available
- Re: Code Complexity vs. Security David King (Jul 25)
- Re: Code Complexity vs. Security Suha Demir CAN (Jul 25)
- Re: Code Complexity vs. Security athena (Jul 26)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- Message not available
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- <Possible follow-ups>
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)