Shostack + Friends Blog Archive

 

Ratty Signals

So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed?

There are a few things that jump to mind:

  1. Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue numbers in terms of say “8 issues per KLOC.”
  2. The severity of issues raised. How do you compare the low, medium and high severity issues? RATS doesn’t help with this.
  3. Ian Grigg mentioned a real instance of the perverse incentive to make changes to shut up compiler warnings.

So it seems that the market is reasonably efficient, and that RATS would make a poor signal, on difficulty of evaluating it.

3 comments on "Ratty Signals"

  • Security Signalling – the market for Lemmings

    Adam continues to grind away at his problem: how to signal good security. It’s a good question, as we know that the market for security is highly inefficient, some would say disfunctional. E.g., we perceive that many security products are…

  • Following up “Liability for Bugs”

    (Posted by Adam) Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.”…

  • Following up “Liability for Bugs”

    Chris just wrote a long article on “Liability for bugs is part of the solution.” It starts “Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write.” Chris talks about…

Comments are closed.