Secure Coding mailing list archives
Microsoft Pushes Secure, Quality Code
From: romain.gaucher at nist.gov (Romain Gaucher)
Date: Tue, 09 Oct 2007 14:39:40 -0400
Hi Steven, I'm (with Vadim Okun) currently doing some research and prototype development in that direction. We are actually counting the number of diffused inputs (diffuse in a sense of affectation to other variables, even with filter application, etc.) going through sinks. We are working on PHP code only for now since we have to work pretty much from scratch (using yaxx in order to generate the AST), but we started to do evaluation of real code (wordpress, mediawiki, dotclear, joomla etc.). We also plan to try different combination of possible metrics, and see the correlation between them. But well, the main problem with such a metric is that's it's strongly related to how the programmer is working: - Is it better to have lots of different variables that are a variation of a single input? I thought not... - Is it better to have localized inputs in the source code? I think yes... - Shall we count the number of classes, the Object orientation of the code, the number of functions... also? These are some questions that we are currently working one. If you guys have some ideas about that or comments, I would really appreciate :) Romain http://rgaucher.info Steven M. Christey wrote:
Interesting that attack surface isn't included, given that Microsoft was one of the earliest advocates of attack surface, a metric that is likely strongly associated with the number of input-related vulnerabilities. It's probably hard to do perfectly, though, especially if any third-party APIs are involved. Are there any tools out there that try to measure attack surface? Has anybody had any experience in trying to apply it? - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Microsoft Pushes Secure, Quality Code Kenneth Van Wyk (Oct 06)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Microsoft Pushes Secure, Quality Code J.M. Seitz (Oct 08)
- Microsoft Pushes Secure, Quality Code Romain Gaucher (Oct 09)
- Mainframe Security McGovern, James F (HTSC, IT) (Nov 01)
- Mainframe Security Johan Peeters (Nov 01)
- Mainframe Security Kenneth Van Wyk (Nov 01)
- Mainframe Security ljknews (Nov 01)
- Mainframe Security Paul Powenski (Nov 01)
- Mainframe Security Johan Peeters (Nov 02)
- Mainframe Security ljknews (Nov 02)
- Message not available
- Message not available
- Mainframe Security ljknews (Nov 02)
- Microsoft Pushes Secure, Quality Code Gary McGraw (Oct 08)
- Microsoft Pushes Secure, Quality Code Steven M. Christey (Oct 08)
- Mainframe Security Glenn and Mary Everhart (Nov 02)
- Mainframe Security Gergely Buday (Nov 02)