Re: Code Complexity vs. Security

[Suha Demir CAN <sdcan () gsu linux org tr>]

The authors state that (paraphrasing):

"estimates are anywhere between 5 to 50 bugs per KLOC (thousand lines of
code) in that book. The numbers corresponding to a system that has
undergone rigourous quality assurance and a system that has only been
feature tested, like most commercial software."

they also include LOC counts for some software systems, Windows XP (40M),
Space Station (40M), Linux (1,5M), Windows95 (<5M) etc

I cant think of any code complexity metrics other than loc, and even that
isnt most satisfying.  Can anyone think of any general one ?

IMHO, it wouldnt be wrong to think more locs more bugs, as a general
guideline. The number and nature of entry points to the program can also
have a value in determining the risk level the software is exposed to.

Suha Demir Can
----------------------------------------------------------------------
"When the game is over, the king and the pawn go in the same box"
-----> sdcan  <-----
GCS d? s:+>: a-- C++(++++)$ UL+++ P+ L+++ E---- W+(++) N+() o? K?
w(---) !0 M-(+) !V PS+ PE- Y+ PGP t- 5? X-(+) R+(+++) tv b++ DI D+ G++
e+>++ h-(!) r* y+
----------------------------------------------------------------------

On Sat, 24 Jul 2004, David King wrote:

> I remember there was a section on this near the
> beginning of the book "Exploiting Software: How to Break Code" (Greg
> Hoglund and Gary McGraw).  If I remember right they site a couple of
> studies and they seem to believe the number of lines of code is the
> one of the best indicators of the number of bugs the software will
> have.
>
> Dave King
> www.thesecure.net
>
> On Sat, 24 Jul 2004 20:36:07 -0600, David King <davewking () gmail com> wrote:
> > I remember in the book "Exploiting Software: How to Break Code" (Greg
> > Hoglund and Gary McGraw) there was a section on this near the
> > beginning of the book.  If I remember right they site a couple of
> > studies and they seem to believe the number of lines of code is the
> > one of the best indicators of the number of bugs the software will
> > have.
> >
> > Dave King
> > www.thesecure.net
> >
> >
> >
> > On Fri, 23 Jul 2004 21:25:20 +0000, Gunnar Peterson
> > <gunnar () arctecgroup net> wrote:
> > > Dan Geer's Blackhat Windows keynote talk last January charted lines of code
> > > against vulnerabilities over time. LOC is not complexity per se, but it is an
> > > indicator.
> > >
> > >
> > >
> > > Quoting Mark Curphey <mark () curphey com>:
> > >
> > > > Has anyone seen any good studies that analytically compare the security
> > > > quality of code to code complexity ?