Hi, Will the Open Group consider incorporating software security features in its software technical standards given the fact that these days lots of software are getting hacked?
""""Basically, I am proposing that the inputs of all functions should be validated."""" I did some experiments with glibc's qsort() function, and I found out that the performance degradation is only 0.6% - 0.8% per function argument. So, let's say that a function has 5 arguments, then the maximum performance degradation will be only 4%. So, if all functions in a software have 5 arguments, then argument validation of all functions will make the whole software slower by only 4%. About limits on the inputs: Let's say that there is a sorting function that sorts an integer array, and it takes the number of array elements as an input. In this case, you can limit the maximum number of elements to around 10% of the RAM size and the total size of the array to around 25% of the RAM size. In my opinion, around 90% of all software vulnerabilities can be traced back to some input(s) (of some function(s)) not being validated. I have researched this and have seen some CVEs and all the CVEs that I saw, they happened because the inputs were not validated. ---------------------------------------- Let's say that some hospital software got hacked because the software provider didn't validate the inputs of the functions because the software provider didn't want 4% performance degradation. Now, what will happen to the patients? What will happen to those patients who were using medical machines, and those machines got hacked because 4% performance degradation was not acceptable, even if that resulted in insecure software (that ultimately got hacked)? "Insecure software" gets hacked, and this leads to the loss of millions of dollars, and also exposes users' private data, like - SSNs, mobile numbers, etc. So, it is "necessary" to create secure software these days. The most important part of creating secure software is to validate all the inputs of all the functions. In my opinion, around 90% of all software vulnerabilities can be traced back to some input(s) (of some function(s)) not being validated. ---------------------------------------- Amit
