mailing list archives
Re: Web sites compromised by IIS attack
From: Raj Mathur <raju () linux-delhi org>
Date: Fri, 2 Jul 2004 07:51:54 +0530
-----BEGIN PGP SIGNED MESSAGE-----
"Valdis" == Valdis Kletnieks <Valdis.Kletnieks () vt edu> writes:
Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl
Valdis> <pauls () utdallas edu> said:
>> I attended a presentation yesterday for a security product in
>> the application firewall field. During the presentation, the
>> CISSP stated that "in every 1000 lines of code there will be 15
>> errors". I don't know if I'd agree with that - I suspect most
>> coders are a bit better than that - but I had to chuckle,
>> because, of course, I immediately thought, "So you admit that
>> your code is riddled with holes!"
Valdis> Actually, I suspect most coders are *worse* than that.
Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C
Valdis> code for the main program. By that metric, there should
Valdis> only have been 135 bugs in it. In fact, there are 441
Valdis> occurrences of 'Problem noted by' in the release notes.
Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of
Valdis> which 774 are listed as '[bug]' entries. I'm fairly sure
Valdis> that BIND9 is well under 510,000 lines of code, so again
Valdis> we're running well above 15 bugs per KLOC.
Valdis> So either (a) Sendmail and BIND were written by people who
Valdis> were *incredibly* worse than "the average programmer", or
Valdis> 15 errors/KLOC is a vast understatement. Now although
Valdis> Sendmail may not be a paragon of excellent programming
Valdis> practice, it would be hard to argue that it's literally 4
Valdis> times as buggy as code written by "the average programmer"
Valdis> - think back to your "intro to programming" class and ask
Valdis> what the *lower* half of the class would have done if they
Valdis> had done a rewrite of Sendmail... ;)
My arithmetic is pretty bad too, so...
[raju () mail ~]$ bc -l
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
- -- Raju
Valdis> I might be willing to accept 15 *security-critical* errors
Valdis> per 1,000 - the vast majority of bugs are *not* a security
Raj Mathur raju () kandalaya org http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.