RE: Code Complexity vs. Security

["Wolf, Yonah" <Yonah.Wolf () ujc org>]

Although LOC is a definitely a good indicator, I think that there are definitely other metrics that are more telling:

- Measure of inputs and outputs (more so the in then the out) is not so much a measure of complexity, but I imagine 
that if we give code more entry points, that then gives us additional elements that need to verify their input, which 
adds to the complexity of security. By this token a highly-complicated program with a minimal number of inputs should 
be relatively more secure than a less complicated program with significantly more inputs. In plain english - a house 
with only one door is easier to protect than one with 50 windows.

- I used to teach programmers a method called code cost - i.e. different methods are assigned different weights 
-'prices'- and that the most efficient code would be the one that costs the least. For example if it costs $5.00 to 
cache a dataset and $1.00 for every db call, then it is worth it to cache the DB call if the data will be used more 
than 5 times - or - if each IF costs $0.25, consolidate your logic to eliminate unnecessary IFs.  (This isn't the 
easiest example to use if you don't have a concrete example). In this situation, the higher, the 'cost' the more 
complex the program is. It can also be inferred that more 'expensive' programs are in fact, more expensive, as they 
will require more effort to develop and maintain, and may take longer to debug as it will might be harder to isolate 
the problem.