NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > WWW-Mobile-Code> 2004-q3

RE: Code Complexity vs. Security

From: Michael Silk (michaelsphg.com.au)
Date: Mon Jul 26 2004 - 21:58:30 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Skip,

        Of course, insecure design is a major issue too, but "metrics"
don't
        measure that - I was commenting on the user of LOC or
Cyclometric Complexity
        to measure your security effectiveness ("complexity") and how it
seems
        not very wise to esimate complexity based on the larger sized
code.

        And especially for buffer overflows, most of these could be
avoided if
        the programmer decided to actually *check* the value he was
passing to
        the allocate function (i.e. more code, hence metric-finder would
call
        it less secure ;)).

-- Michael

-----Original Message-----
From: Skip Carter [mailto:skiptaygeta.com]
Sent: Tuesday, 27 July 2004 7:48 AM
To: webappsecsecurityfocus.com
Subject: Re: Code Complexity vs. Security

> I would suggest that almost all programming errors (and
> hence security problems) come from some programmer attempting
> to be "smart" and reduce the size of his/her code.

Hmmm. While I agree that ill considered programming cleverness is one
source
of
problems. But there seems to be an entire class of security issues that
have
nothing
to do with bugs but with an insecure design. Consider an absolutely
bug-free
program
that controls access to a database via a text file using ROT-13
encryption.

Skip

--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skiptaygeta.com
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940

This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]