As I said to two others who wrote off-list, the 40% figure is a relic of what I was myself taught long ago but have heard re-mentioned from time to time over the intervening years. For all I know, it traces to Fred Brooks or Donald Knuth. On the other hand, an ex-Bell Labs mentor once told me "Never test for an error you cannot handle."
As it turns out, however, I may get a static analysis crew to characterize what they know. One of the off-list respondents also gave me a good lead. Analyzing code bases seems like one of those places where a good result requires a good question in the first place. Given the langsec idea, perhaps a question to ask would be how concentrated versus how scattered is the input processing in some system. What questions would you (plural) ask? --dan _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
