I am in full agreement that we need metrics.  The challenge is that syntactic 
metric are easy to compute and not very useful from a management perspective 
and that business-relevant metrics are much fuzzier and difficult to compute 
given a glob of code.

That said, we should keep trying!  I believe one answer is to take advantage of 
relative metrics over time.


company www.cigital.com

------Original Message------
From: Steven M. Christey
To: Gary McGraw
Cc: Steven M. Christey
Cc: Secure Coding Mailing List
Sent: Oct 8, 2007 4:07 PM
Subject: RE: [SC-L] Microsoft Pushes Secure, Quality Code

On Mon, 8 Oct 2007, Gary McGraw wrote:

> Not surprising.  Last time I looked, attack surface is subjective.
> McCabe is not.  BTW, McCabe's Cyclomatic complexity boils down to 85%
> lines of code and 15% data flow if you do a principal component analysis
> on it.

Hopefully the SEI people are monitoring this list and can provide their
feedback.  They've done some concrete work in making attack surface as
objective as possible, enough to the point where they compared 2 FTP
servers about a year ago.  One of their papers comments that they wanted
to use the code scanners to make the calculations for them, but for some
reason they couldn't.

I was under the impression from Mike Howard's comments over the years,
that MS had some concrete (perhaps subjective) comparisons between
different MS variants, and this was part of the argument for Vista's
security over past MS operating systems.

> Just throw the code in the box and turn the crank.  Then discard the
> results and you're done!

While I understand the sentiment, it seems to me that you can't get very
far without metrics of some sort.  Perhaps more importantly, the real
decision-makers need them because it's not their job (and probably not
their expertise) to pore through endless details.

- Steve

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to