Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Web sites compromised by IIS attack
From: Raj Mathur <raju () linux-delhi org>
Date: Fri, 2 Jul 2004 07:51:54 +0530

Hash: SHA1

"Valdis" == Valdis Kletnieks <Valdis.Kletnieks () vt edu> writes:

    Valdis> On Wed, 30 Jun 2004 21:08:27 CDT, Paul Schmehl
    Valdis> <pauls () utdallas edu> said:
    >> I attended a presentation yesterday for a security product in
    >> the application firewall field.  During the presentation, the
    >> CISSP stated that "in every 1000 lines of code there will be 15
    >> errors".  I don't know if I'd agree with that - I suspect most
    >> coders are a bit better than that - but I had to chuckle,
    >> because, of course, I immediately thought, "So you admit that
    >> your code is riddled with holes!"

    Valdis> Actually, I suspect most coders are *worse* than that.

    Valdis> Sendmail 8.13.0 weighs in at just about 90K lines of C
    Valdis> code for the main program.  By that metric, there should
    Valdis> only have been 135 bugs in it. In fact, there are 441
    Valdis> occurrences of 'Problem noted by' in the release notes.

    Valdis> BIND 9.2.3 has 1,525 entries in the CHANGELOG file, of
    Valdis> which 774 are listed as '[bug]' entries.  I'm fairly sure
    Valdis> that BIND9 is well under 510,000 lines of code, so again
    Valdis> we're running well above 15 bugs per KLOC.

    Valdis> So either (a) Sendmail and BIND were written by people who
    Valdis> were *incredibly* worse than "the average programmer", or
    Valdis> 15 errors/KLOC is a vast understatement.  Now although
    Valdis> Sendmail may not be a paragon of excellent programming
    Valdis> practice, it would be hard to argue that it's literally 4
    Valdis> times as buggy as code written by "the average programmer"
    Valdis> - think back to your "intro to programming" class and ask
    Valdis> what the *lower* half of the class would have done if they
    Valdis> had done a rewrite of Sendmail... ;)

My arithmetic is pretty bad too, so...
[raju () mail ~]$ bc -l
bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.


- -- Raju

    Valdis> I might be willing to accept 15 *security-critical* errors
    Valdis> per 1,000 - the vast majority of bugs are *not* a security
    Valdis> issue.

- -- 
Raj Mathur                raju () kandalaya org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]