Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Code Quality: The Open Source Perspective", Diomidis

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Code Quality: The Open Source Perspective", Diomidis Spinellis
Date: Tue, 20 Feb 2007 10:40:40 -0800 
BKCQTOSP.RVW   20061229

"Code Quality: The Open Source Perspective", Diomidis Spinellis, 2006,
0-321-16607-8, U$54.99/C$73.99
%A   Diomidis Spinellis www.spinellis.gr/codequality dds@aueb.gr
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-16607-8
%I   Addison-Wesley Publishing Co.
%O   U$54.99/C$73.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321166078/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321166078/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321166078/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   569 p.
%T   "Code Quality: The Open Source Perspective"

The preface points out that it is easy to test for the functional
requirements of an application: either the program performs the
function or it doesn't.  Nonfunctional requirements (including such
characteristics as reliability, portability, usability,
interoperability, adaptability, dependability, and maintainability)
are much harder to assess, and yet may be more important.  (In an
automated train system, for example, the lack of a function to change
the schedule from within a given train still allows you to use the
train within a given schedule.  Unreliability of the braking system
means the system is worse than useless.)  In addition, "Code Reading"
(the title of Spinellis' previous book) is pointed out as the most
common activity for developers, and yet is a skill seldom taught in
the programming curriculum.  The author has avoided using fictional
code for the examples in this (and the prior) work by providing sample
code from open source software projects, thus using working (but
available) source code for illustrations.

Chapter one introduces the structure of the text by mapping
characteristics from the ISO 9126 quality standard to the chapters and
sections of the book.  Inherent conflicts between different aspects of
quality are also noted.  (For example, large numbers of discrete
operations enhance the functionality of a system, but at some cost in
terms of usability.)  Reliability is examined, in chapter two, in
terms of common flaws.  Examples of such flaws are given, followed by
an explanation of the specifics of the problem.  This is followed by
samples of code that address the problem stated.  Each point and
section is accompanied by questions and discussion points that could
be used in a course teaching the issues of code quality.  (Unlike all
too many sets of questions these are rigorous and challenging. 
Sometimes they may be a little bit too demanding: occasionally the
discussion would require intimate knowledge of the internals of a
specific programming language.)  The chapter ends with a summary of
the points and factors covered.

Various security vulnerabilities and coding points are illustrated in
chapter three, but, in comparison to the rest of the work, this
material is weak and disappointing.  Performance issues in relation to
time are reviewed in chapter four, and to space in five.  The
different factors of latency and bandwidth, and the trade-offs between
memory and speed are noted.  It is rather odd that Spinellis is at
pains to point out that time efficiencies negatively affect simplicity
and portability, while he goes to great lengths to provide suggestions
for space optimizations for a variety of specific architectures (which
wouldn't help portability either).

Chapter six looks at a number of factors relating to portability,
between both hardware and operating system platforms.  Maintainability
is the longest chapter (seven) in the book, and bears the closest
relation to Spinellis' previous work on "Code Reading."  There is a
special section on the characteristics of object-oriented code. 
Chapter eight, on floating point arithmetic, notes the sometimes
surprising sources of inaccuracy.

In the information technology and development fields we are constantly
obsessed with production of code and the speedy release of the next
version.  We need to stop and take a good look at the quality of what
we produce: as it frequently stated, the greatest source of computer
problems is computer solutions.  In regard to security, it is
demonstrably true that the exploits and difficulties that we find are
those that would never have been created if only programmers had paid
a little more attention to the fundamental concepts they were first
taught.  I believe Spinellis' text should be required reading for all
programming courses and programs.  In addition, those involved with
analysis, maintenance, and change control should consider it a bible
to be read and re-read until the lessons are firmly implanted.

copyright Robert M. Slade, 2007   BKCQTOSP.RVW   20061229


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
A truly English protest march would see us all chanting: `What do
we want?  GRADUAL CHANGE!  When do we want it?  IN DUE COURSE!'
                                  - Kate Fox, `Watching the English'
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Code Quality: The Open Source Perspective", Diomidis Spinellis, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Next by Date:  [CISSP-D] How to start for cissp course help, skpappu_pappu
Next by Thread:  [CISSP-D] How to start for cissp course help, skpappu_pappu
Indexes:  [Date] [Thread] [Top] [All Lists]