Secure Coding mailing list archives

Re: Interesting article on the adoption of Software Security

From: Crispin Cowan <crispin () immunix com>
Date: Thu, 10 Jun 2004 21:03:59 +0100


Damir Rajnovic wrote:


While this is true that only some of the bugs are fixed that fixing can
have unexpectedly high price tag attached. No matter how do you look
at this it _is_ cheaper to fix bugs as soon as possible in the process
(or not introduce them at the first place).
 

This is true in the isolation of looking at the cost of fixing any one 
individual bug, but it is not true in general. Fixing one bug early in 
the process is cheap and easy. Fixing the *last* bug in a system is 
astronomically expensive, because the cost of *finding* bugs rises 
exponentially as you further and further refine it. Worse, you 
eventually reach a point of equilibrium where your chances of inserting 
a new bug in the course of fixing a known bug are about even, and it 
becomes almost impossible to reduce the bug count further.



Personally, I do not see how this can be easily measured.

This entire area is rife with mushy psychological issues involving 
huan's ability to process information correctly. As a result, nearly all 
of the absolute statements are wrong, and they function only within 
certain ranges, .e.g. fixing bugs early in development is cheaper than 
patching in the field, but only within the bounds of digging only so 
hard for bugs.


But even this statement is self-limiting. The above claim is not true 
(or at least less true) for safety-critical systems like fly-by-wire 
systems and nuclear reactor controllers, where the cost of failure due 
to a bug is so high that it is worth paying the extra $$$ to find the 
residual bugs in the development phase.


My reaction to the feuding over whether it is better to shore up C/C++ 
or to use newer safer languages like Java and C#: each has their place.


   * There are millions of lines of existing C/C++ code running the
     world. Holding your breath until they are all replaced with type
     safe code is not going to be effective, and therefore there is
     strong motive to deploy tools (e.g. StackGuard, RATS, etc.) to
     improve the safety of this code.
   * New code should be written in type safe languages unless there is
     a very strong reason to do otherwise.

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

Current thread:

Interesting article on the adoption of Software Security Kenneth R. van Wyk (Jun 08)
- Re: Interesting article on the adoption of Software Security Jeff Williams (Jun 08)
- Re: Interesting article on the adoption of Software Security Florian Weimer (Jun 09)
  - Re: Interesting article on the adoption of Software Security Damir Rajnovic (Jun 10)
    - Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 10)
    - Re: Interesting article on the adoption of Software Security Dana Epp (Jun 11)
    - Re: Interesting article on the adoption of Software Security ljknews (Jun 11)
    - RE: Interesting article on the adoption of Software Security Michael S Hines (Jun 11)
    - Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
    - RE: Interesting article on the adoption of Software Security ljknews (Jun 11)
    - Re: Interesting article on the adoption of Software Security Crispin Cowan (Jun 11)
    - Re: Interesting article on the adoption of Software Security der Mouse (Jun 11)
- <Possible follow-ups>
- RE: Interesting article on the adoption of Software Security John Steven (Jun 09)
- RE: Interesting article on the adoption of Software Security Wall, Kevin (Jun 12)