Secure Coding mailing list archives
Microsoft Pushes Secure, Quality Code
From: gem at cigital.com (Gary McGraw)
Date: Tue, 9 Oct 2007 08:43:54 -0400
I am in full agreement that we need metrics. The challenge is that syntactic metric are easy to compute and not very useful from a management perspective and that business-relevant metrics are much fuzzier and difficult to compute given a glob of code. That said, we should keep trying! I believe one answer is to take advantage of relative metrics over time. gem company www.cigital.com ------Original Message------ From: Steven M. Christey To: Gary McGraw Cc: Steven M. Christey Cc: Secure Coding Mailing List Sent: Oct 8, 2007 4:07 PM Subject: RE: [SC-L] Microsoft Pushes Secure, Quality Code On Mon, 8 Oct 2007, Gary McGraw wrote:
Not surprising. Last time I looked, attack surface is subjective. McCabe is not. BTW, McCabe's Cyclomatic complexity boils down to 85% lines of code and 15% data flow if you do a principal component analysis on it.
Hopefully the SEI people are monitoring this list and can provide their feedback. They've done some concrete work in making attack surface as objective as possible, enough to the point where they compared 2 FTP servers about a year ago. One of their papers comments that they wanted to use the code scanners to make the calculations for them, but for some reason they couldn't. I was under the impression from Mike Howard's comments over the years, that MS had some concrete (perhaps subjective) comparisons between different MS variants, and this was part of the argument for Vista's security over past MS operating systems.
Just throw the code in the box and turn the crank. Then discard the results and you're done!
While I understand the sentiment, it seems to me that you can't get very far without metrics of some sort. Perhaps more importantly, the real decision-makers need them because it's not their job (and probably not their expertise) to pore through endless details. - Steve
Current thread:
- Mainframe Security, (continued)
- Mainframe Security Johan Peeters (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Message not available
- Message not available
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Glenn and Mary Everhart (Nov 02)
- Mainframe Security Gergely Buday (Nov 02)
- Mainframe Security Florian Weimer (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Mainframe Security Florian Weimer (Nov 03)
- Mainframe Security Andrew van der Stock (Nov 17)
- Mainframe Security Edward N Schofield (Nov 01)
- Microsoft Pushes Secure, Quality Code Gunnar Peterson (Oct 09)