Ratty Signals
(Posted by adam)
So, we have a security signal that's available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed?
There are a few things that jump to mind:
- Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn't issue numbers in terms of say "8 issues per KLOC."
- The severity of issues raised. How do you compare the low, medium and high severity issues? RATS doesn't help with this.
- Ian Grigg mentioned a real instance of the perverse incentive to make changes to shut up compiler warnings.
Bookmark this post: Posted by adam on January 1, 2005 at 1:45 PM
in Economics
, information security
. You can:
see trackbacks (3) or
search Technorati.
TrackBacks
Trackbacks are links generated by other blogs which have commented on this entry.
Listed below are links to weblogs that reference Ratty Signals:
» Security Signalling - the market for Lemmings from Financial Cryptography
Adam continues to grind away at his problem: how to signal good security. It's a good question, as we know that the market for security is highly inefficient, some would say disfunctional. E.g., we perceive that many security products are... [Read More]
Tracked on January 1, 2005 7:29 PM
» Following up "Liability for Bugs" from Emergent Chaos
(Posted by Adam) Chris just wrote a long article on "Liability for bugs is part of the solution." It starts "Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write."... [Read More]
Tracked on October 21, 2005 10:22 AM
» Following up "Liability for Bugs" from Emergent Chaos
Chris just wrote a long article on "Liability for bugs is part of the solution." It starts "Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write." Chris talks about... [Read More]
Tracked on November 1, 2005 11:04 PM