-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Valdis" == Valdis Kletnieks <[EMAIL PROTECTED]> writes:
Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl Valdis> <[EMAIL PROTECTED]> said: >> I attended a presentation yesterday for a security product in >> the application firewall field. During the presentation, the >> CISSP stated that "in every 1000 lines of code there will be 15 >> errors". I don't know if I'd agree with that - I suspect most >> coders are a bit better than that - but I had to chuckle, >> because, of course, I immediately thought, "So you admit that >> your code is riddled with holes!" Valdis> Actually, I suspect most coders are *worse* than that. Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C Valdis> code for the main program. By that metric, there should Valdis> only have been 135 bugs in it. In fact, there are 441 Valdis> occurrences of 'Problem noted by' in the release notes. Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of Valdis> which 774 are listed as '[bug]' entries. I'm fairly sure Valdis> that BIND9 is well under 510,000 lines of code, so again Valdis> we're running well above 15 bugs per KLOC. Valdis> So either (a) Sendmail and BIND were written by people who Valdis> were *incredibly* worse than "the average programmer", or Valdis> 15 errors/KLOC is a vast understatement. Now although Valdis> Sendmail may not be a paragon of excellent programming Valdis> practice, it would be hard to argue that it's literally 4 Valdis> times as buggy as code written by "the average programmer" Valdis> - think back to your "intro to programming" class and ask Valdis> what the *lower* half of the class would have done if they Valdis> had done a rewrite of Sendmail... ;) My arithmetic is pretty bad too, so... [EMAIL PROTECTED] ~]$ bc -l bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. 90000/1000*15 1350.00000000000000000000 510000/1000*15 7650.00000000000000000000 Regards, - -- Raju Valdis> I might be willing to accept 15 *security-critical* errors Valdis> per 1,000 - the vast majority of bugs are *not* a security Valdis> issue. - -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iD8DBQFA5MalyWjQ78xo0X8RAn20AJwNPfbOGfPd2C9T01az+poYVsZyVgCeNo1d +oP8ykZEn/w3A2REGIzPNb8= =q4at -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html