Death of antivirus software imminent
Adam Shostack
adam at homeport.org
Mon Jan 7 16:12:56 EST 2008
On Mon, Jan 07, 2008 at 10:35:00AM -0500, dan at geer.org wrote:
|
| Jerry,
|
| It is always possible that I misunderstand the McCabe
| score which may come from the fact that so many build
| environments compute it along with producing the binary,
| i.e., independent of human eyeballs. If complexity
| scoring requires human eyeballs or the presence of the
| designer's flow charts, then will we ever get meaningful
| numbers (sans artificial intelilgence) for code we did
| not write ourselves? [...yes, this parallels the many
| arguments about how can you trust crypto code you didn't
| write, either...]
|
| If McCabe scoring is your area, do you agree with the
| rule that a McCabe score of <10 is essential -- an argument
| that I am quoting from some NASA spec I read a while ago
| and can dig up again if that turns out to be necessary.
I'd question the description of "essential." I've seen code (not at
my current employer) that was very successful in the marketplace that
likely scored in the tens of thousands. The code had been unrolled
for performance reasons, and those responsible knew the cost they were
paying.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list