WebApp Sec mailing list archives
RE: Code Complexity vs. Security
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Mon, 26 Jul 2004 12:19:33 -0400
Although LOC is a definitely a good indicator, I think that there are definitely other metrics that are more telling: - Measure of inputs and outputs (more so the in then the out) is not so much a measure of complexity, but I imagine that if we give code more entry points, that then gives us additional elements that need to verify their input, which adds to the complexity of security. By this token a highly-complicated program with a minimal number of inputs should be relatively more secure than a less complicated program with significantly more inputs. In plain english - a house with only one door is easier to protect than one with 50 windows. - I used to teach programmers a method called code cost - i.e. different methods are assigned different weights -'prices'- and that the most efficient code would be the one that costs the least. For example if it costs $5.00 to cache a dataset and $1.00 for every db call, then it is worth it to cache the DB call if the data will be used more than 5 times - or - if each IF costs $0.25, consolidate your logic to eliminate unnecessary IFs. (This isn't the easiest example to use if you don't have a concrete example). In this situation, the higher, the 'cost' the more complex the program is. It can also be inferred that more 'expensive' programs are in fact, more expensive, as they will require more effort to develop and maintain, and may take longer to debug as it will might be harder to isolate the problem.
Current thread:
- Code Complexity vs. Security Mark Curphey (Jul 23)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- Message not available
- Re: Code Complexity vs. Security David King (Jul 25)
- Re: Code Complexity vs. Security Suha Demir CAN (Jul 25)
- Re: Code Complexity vs. Security athena (Jul 26)
- Re: Code Complexity vs. Security Ed Moyle (Jul 26)
- Message not available
- RE: Code Complexity vs. Security Mark Curphey (Jul 25)
- Re: Code Complexity vs. Security Adam Shostack (Jul 25)
- Re: Code Complexity vs. Security Gunnar Peterson (Jul 23)
- <Possible follow-ups>
- RE: Code Complexity vs. Security Michael Silk (Jul 25)
- Re: Code Complexity vs. Security Skip Carter (Jul 26)
- RE: Code Complexity vs. Security Wolf, Yonah (Jul 26)
- RE: Code Complexity vs. Security Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Mark Mcdonald (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Michael Silk (Jul 26)
- RE: Code Complexity vs. Security Stan Guzik (Jul 27)
- Re: Code Complexity vs. Security Martin Mačok (Jul 28)