Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Code Complexity vs. Security
From: Michael Silk (michaelsphg.com.au)
Date: Mon Jul 26 2004 - 21:58:30 CDT
Of course, insecure design is a major issue too, but "metrics"
measure that - I was commenting on the user of LOC or
to measure your security effectiveness ("complexity") and how it
not very wise to esimate complexity based on the larger sized
And especially for buffer overflows, most of these could be
the programmer decided to actually *check* the value he was
the allocate function (i.e. more code, hence metric-finder would
it less secure ;)).
From: Skip Carter [mailto:skiptaygeta.com]
Sent: Tuesday, 27 July 2004 7:48 AM
Subject: Re: Code Complexity vs. Security
> I would suggest that almost all programming errors (and
> hence security problems) come from some programmer attempting
> to be "smart" and reduce the size of his/her code.
Hmmm. While I agree that ill considered programming cleverness is one
problems. But there seems to be an entire class of security issues that
to do with bugs but with an insecure design. Consider an absolutely
that controls access to a database via a text file using ROT-13
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skiptaygeta.com
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.