[langsec-discuss] a question on code volume

dan at geer.org dan at geer.org
Mon Dec 29 22:53:20 UTC 2014


As I said to two others who wrote off-list, the 40% figure
is a relic of what I was myself taught long ago but have
heard re-mentioned from time to time over the intervening
years.  For all I know, it traces to Fred Brooks or Donald
Knuth.  On the other hand, an ex-Bell Labs mentor once told
me "Never test for an error you cannot handle."

As it turns out, however, I may get a static analysis crew
to characterize what they know.  One of the off-list respondents
also gave me a good lead.  Analyzing code bases seems like one
of those places where a good result requires a good question
in the first place.  Given the langsec idea, perhaps a question
to ask would be how concentrated versus how scattered is the
input processing in some system.

What questions would you (plural) ask?

--dan





More information about the langsec-discuss mailing list