lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: raju at linux-delhi.org (Raj Mathur)
Subject: Web sites compromised by IIS attack 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Valdis" == Valdis Kletnieks <Valdis.Kletnieks@...edu> writes:

    Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl
    Valdis> <pauls@...allas.edu> said:
    >> I attended a presentation yesterday for a security product in
    >> the application firewall field.  During the presentation, the
    >> CISSP stated that "in every 1000 lines of code there will be 15
    >> errors".  I don't know if I'd agree with that - I suspect most
    >> coders are a bit better than that - but I had to chuckle,
    >> because, of course, I immediately thought, "So you admit that
    >> your code is riddled with holes!"

    Valdis> Actually, I suspect most coders are *worse* than that.

    Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C
    Valdis> code for the main program.  By that metric, there should
    Valdis> only have been 135 bugs in it. In fact, there are 441
    Valdis> occurrences of 'Problem noted by' in the release notes.

    Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of
    Valdis> which 774 are listed as '[bug]' entries.  I'm fairly sure
    Valdis> that BIND9 is well under 510,000 lines of code, so again
    Valdis> we're running well above 15 bugs per KLOC.

    Valdis> So either (a) Sendmail and BIND were written by people who
    Valdis> were *incredibly* worse than "the average programmer", or
    Valdis> 15 errors/KLOC is a vast understatement.  Now although
    Valdis> Sendmail may not be a paragon of excellent programming
    Valdis> practice, it would be hard to argue that it's literally 4
    Valdis> times as buggy as code written by "the average programmer"
    Valdis> - think back to your "intro to programming" class and ask
    Valdis> what the *lower* half of the class would have done if they
    Valdis> had done a rewrite of Sendmail... ;)

My arithmetic is pretty bad too, so...
[raju@...l ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
90000/1000*15
1350.00000000000000000000
510000/1000*15
7650.00000000000000000000

Regards,

- -- Raju

    Valdis> I might be willing to accept 15 *security-critical* errors
    Valdis> per 1,000 - the vast majority of bugs are *not* a security
    Valdis> issue.

- -- 
Raj Mathur                raju@...dalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFA5MalyWjQ78xo0X8RAn20AJwNPfbOGfPd2C9T01az+poYVsZyVgCeNo1d
+oP8ykZEn/w3A2REGIzPNb8=
=q4at
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists