[langsec-discuss] composability

Scott Guthery sbg at acw.com
Mon Jan 11 13:03:15 UTC 2016


>>>... in general we close off more bugs than we open nesting security 
>>>layers.

1) The only situation in which this may be true is when a small team designs 
all the layers, all the way down to the iron.  Even in this case there is no 
evidence to support the assertion and there are numerous anecdotes that deny 
it.
2) People can write code faster than they can find and fix bugs.
3) The number of bugs is in direct proportion to lines of code.

All that said, isn't the point to not create bugs in the first place? 
(Unless, of course, you're paid to find them. Low-paid code writers and 
high-paid code fixers brings to mind one hand washing the other.  See 
software contracts for Obamacare connectors. )

Cheers, Scott

P.S. Wouldn't it be more honest to start calling them 'faults' or 'errors' 
or 'failures' rather than 'bugs'?




More information about the langsec-discuss mailing list