lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: raju at linux-delhi.org (Raj Mathur) Subject: Web sites compromised by IIS attack -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Valdis" == Valdis Kletnieks <Valdis.Kletnieks@...edu> writes: Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl Valdis> <pauls@...allas.edu> said: >> I attended a presentation yesterday for a security product in >> the application firewall field. During the presentation, the >> CISSP stated that "in every 1000 lines of code there will be 15 >> errors". I don't know if I'd agree with that - I suspect most >> coders are a bit better than that - but I had to chuckle, >> because, of course, I immediately thought, "So you admit that >> your code is riddled with holes!" Valdis> Actually, I suspect most coders are *worse* than that. Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C Valdis> code for the main program. By that metric, there should Valdis> only have been 135 bugs in it. In fact, there are 441 Valdis> occurrences of 'Problem noted by' in the release notes. Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of Valdis> which 774 are listed as '[bug]' entries. I'm fairly sure Valdis> that BIND9 is well under 510,000 lines of code, so again Valdis> we're running well above 15 bugs per KLOC. Valdis> So either (a) Sendmail and BIND were written by people who Valdis> were *incredibly* worse than "the average programmer", or Valdis> 15 errors/KLOC is a vast understatement. Now although Valdis> Sendmail may not be a paragon of excellent programming Valdis> practice, it would be hard to argue that it's literally 4 Valdis> times as buggy as code written by "the average programmer" Valdis> - think back to your "intro to programming" class and ask Valdis> what the *lower* half of the class would have done if they Valdis> had done a rewrite of Sendmail... ;) My arithmetic is pretty bad too, so... [raju@...l ~]$ bc -l bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. 90000/1000*15 1350.00000000000000000000 510000/1000*15 7650.00000000000000000000 Regards, - -- Raju Valdis> I might be willing to accept 15 *security-critical* errors Valdis> per 1,000 - the vast majority of bugs are *not* a security Valdis> issue. - -- Raj Mathur raju@...dalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iD8DBQFA5MalyWjQ78xo0X8RAn20AJwNPfbOGfPd2C9T01az+poYVsZyVgCeNo1d +oP8ykZEn/w3A2REGIzPNb8= =q4at -----END PGP SIGNATURE-----
Powered by blists - more mailing lists