WebApp Sec mailing list archives
Re: Code Complexity vs. Security
From: Ed Moyle <ed () securitycurve com>
Date: Mon, 26 Jul 2004 13:01:51 -0400
On 7/26/04 5:02 AM, "athena () buyukada co uk" <athena () buyukada co uk> wrote:
I cant think of any code complexity metrics other than loc, and even that isnt most satisfying. Can anyone think of any general one ?LOC can be seen as an indicator of code complexity, but not really the number of bugs. It's development models, code complexity and readability that are real indicators.
As a follow-on to this point, I think it would be quite interesting for someone to gather metrics correlating the number of security-charged bugs coming out of shops employing formalized development processes vs. shops that have more "liberal" methodologies. I realized that this may be a contentious statement, but I've been saying for a number of years that the more "advanced" a shop is with respect to reproducability, maintainability, etc (along the lines of CMM and the like,) that the lower I think the incidence of security-related bugs will be. This seems intuitive, but I would very much like to see if this pans out in a more formal analysis. I'd wager that as the level of maturity increases, the incidence of this type of problem decreases. Further, I would speculate that the rate of bugs discovered in a particular product would decrease at a faster rate as well - again, this is just intuition at this point, but I would think a really interesting study could come about from a correlation of data from CVE vs. level of maturity on CMM. I'm thinking that someone with some time on their hands could publish some fascinating results in that space if they were so inclined (even if it was just to refute the argument.) Anyway, just my $.02. Regards, -E
Current thread:
- Code Complexity vs. Security Mark Curphey (Jul 23)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Message not available
- Re: Code Complexity vs. Security David King (Jul 25)
- Re: Code Complexity vs. Security Suha Demir CAN (Jul 25)
- Re: Code Complexity vs. Security athena (Jul 26)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- Message not available
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- <Possible follow-ups>
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)