Wednesday, 5 November 2008

Security & Economics

Honestly I find it difficult to understand why people do not get the idea of why errors and low quality software occur.

A comment was made as a question on Security Focus:
Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and Services?

Why do they need to be specified, when they should be taken for granted?
- Input Validation
- Boundary Conditions
- Encrypt Data as necessary
- Least Privilege Access
- White lists are better than Black lists

It is simple economic theory. We are talking high school level. If you
think about it for a moment you will come to understand.

First, think of a few things in life outside IT. I will pose a few
questions and see if you can answer them:

  • Are all cars of the same quality? Why do you pay more for a Lexus over
  • a Hyundai?
  • Do you have to take insurance on a trip?

Now some that are a little closer to home:
  • Are all door locks of the same quality?
  • Do all houses come with dead-bolts and alarm systems?
  • Do all cars have a lojack installed?
  • Do all windows on all houses have quality locks?
  • Are all windows made of Lucite (which is child proof)?

The simple answer is that quality varies with cost. If you want more
you pay more. This is honestly a simple exercise. Quality software
does exist. If you like you can go to the old US Redbook standards and
have an "A" class software verification. Except that that copy of
Windows XP or Vista will now cost $10000+.

I do code reviews. They are needed to both verify the findings from
static analysis software used to test code as well as to gain a higher
level of assurance. Even then, this is not perfect as modeling complex
interactions is more time consuming and error prone.

I can do around 190 to 220 lines of code an hour on a good day for a
language such as C. Less for Assembly. My rates are charged hourly. An
analysis of XP would take over 50,000 man hours at this level. This
excludes the fixes. This excludes the add-ons.

How many million lines of code are in Vista?

You get what you pay for.

No comments: