Re: Code Complexity vs. Security

[Ed Moyle <ed () securitycurve com>]

On 7/26/04 5:02 AM, "athena () buyukada co uk" <athena () buyukada co uk> wrote:

> > I cant think of any code complexity metrics other than loc, and even
> > that isnt most satisfying.  Can anyone think of any general one ?
>
> LOC can be seen as an indicator of code complexity, but not really the
> number of bugs. It's development models, code complexity and readability
> that are real indicators.

As a follow-on to this point, I think it would be quite interesting for
someone to gather metrics correlating the number of security-charged bugs
coming out of shops employing formalized development processes vs. shops
that have more "liberal" methodologies.  I realized that this may be a
contentious statement, but I've been saying for a number of years that the
more "advanced" a shop is with respect to reproducability, maintainability,
etc (along the lines of CMM and the like,) that the lower I think the
incidence of security-related bugs will be.   This seems intuitive, but I
would very much like to see if this pans out in a more formal analysis.  I'd
wager that as the level of maturity increases, the incidence of this type of
problem decreases.  Further, I would speculate that the rate of bugs
discovered in a particular product would decrease at a faster rate as well -
again, this is just intuition at this point, but I would think a really
interesting study could come about from a correlation of data from CVE vs.
level of maturity on CMM.

I'm thinking that someone with some time on their hands could publish some
fascinating results in that space if they were so inclined (even if it was
just to refute the argument.)

Anyway, just my $.02.

Regards,
-E