[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <16612.50882.682297.270782@mail.linux-delhi.org>
From: raju at linux-delhi.org (Raj Mathur)
Subject: Web sites compromised by IIS attack
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Valdis" == Valdis Kletnieks <Valdis.Kletnieks@...edu> writes:
Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl
Valdis> <pauls@...allas.edu> said:
>> I attended a presentation yesterday for a security product in
>> the application firewall field. During the presentation, the
>> CISSP stated that "in every 1000 lines of code there will be 15
>> errors". I don't know if I'd agree with that - I suspect most
>> coders are a bit better than that - but I had to chuckle,
>> because, of course, I immediately thought, "So you admit that
>> your code is riddled with holes!"
Valdis> Actually, I suspect most coders are *worse* than that.
Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C
Valdis> code for the main program. By that metric, there should
Valdis> only have been 135 bugs in it. In fact, there are 441
Valdis> occurrences of 'Problem noted by' in the release notes.
Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of
Valdis> which 774 are listed as '[bug]' entries. I'm fairly sure
Valdis> that BIND9 is well under 510,000 lines of code, so again
Valdis> we're running well above 15 bugs per KLOC.
Valdis> So either (a) Sendmail and BIND were written by people who
Valdis> were *incredibly* worse than "the average programmer", or
Valdis> 15 errors/KLOC is a vast understatement. Now although
Valdis> Sendmail may not be a paragon of excellent programming
Valdis> practice, it would be hard to argue that it's literally 4
Valdis> times as buggy as code written by "the average programmer"
Valdis> - think back to your "intro to programming" class and ask
Valdis> what the *lower* half of the class would have done if they
Valdis> had done a rewrite of Sendmail... ;)
My arithmetic is pretty bad too, so...
[raju@...l ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
90000/1000*15
1350.00000000000000000000
510000/1000*15
7650.00000000000000000000
Regards,
- -- Raju
Valdis> I might be willing to accept 15 *security-critical* errors
Valdis> per 1,000 - the vast majority of bugs are *not* a security
Valdis> issue.
- --
Raj Mathur raju@...dalaya.org http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFA5MalyWjQ78xo0X8RAn20AJwNPfbOGfPd2C9T01az+poYVsZyVgCeNo1d
+oP8ykZEn/w3A2REGIzPNb8=
=q4at
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists