[SystemSafety] Static Analysis

Les Chambers les at chambers.com.au
Fri Feb 28 03:00:51 CET 2014


Derek
You seem to be suggesting that one should let truth stand in the way of a
good story!
As for the 500 million lines of code. Healthcare.gov is a class of service
oriented architecture. I suspect there is a lot of legacy code involved in
the various service organisations that this system interfaces with; they
probably counted them. 
As for brand-new code, you are correct. The contract award was September
2011. Even if 55 organisations were involved (many of which probably did not
write software) it would be nigh on impossible to accumulate that level of
new code in the time allocated. Especially as there was significant
rewriting going on as government changed its policies.
As to the credibility of the witness (Morgan Wright); did you read to the
end of the referenced document? His resume looks impressive.

Let me speak plainly. The point of my weeping is: the archetypal behaviour
we are witnessing here. In common with the safety critical domain, the
computer security domain is redolent with good process, cornucopia of
excellent white papers, technical literature, war stories and battalions of
experts. 
But the people at the coalface doing the work aren't listening! 
Les


-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Derek M Jones
Sent: Friday, February 28, 2014 11:00 AM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] Static Analysis

Les,

> a testimony to a US Congress oversight committee on security
vulnerabilities
> in the Obama care system: healthcare.gov.  It makes you weep.

Weep because it contains so much nonsense that people might
take seriously?

500 million lines of code?

Ok, so they added up the source of Linux say 50 Million,
Microsoft Windows was 40 Million last time I heard but lets
say another 50 Million.

Then there are all the BSD variants, but they are not large,
say 20 Million all in.  They probably have some Solaris,
Oracle (no idea how much code is in that), plus all the
IBM stuff.  Let's say another 150 Million.

Well that gets us half way to 500 Million

> Crowd Sourced Investigations LLC, Testimony of Morgan Wright, CEO, Before
> the House Committee on Science, Space, and Technology,

"We are a no-cost resource for federal, state and local
law enforcement that uses the power of social media and crowdsourcing to 
solve
crime, return the missing and protect our children."

I'm sure they are very good at this.  They need to take a take a few
classes before saying anything too technical about software.

>
>
http://www.projectauditors.com/Papers/Troubled_Projects/HHRG-113-SY-WState-M
> Wright-20131119.pdf
>
>
>
>
>
> From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
> [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
> Mike Rothon
> Sent: Wednesday, February 26, 2014 9:25 PM
> To: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] Static Analysis
>
>
>
> On 25/02/14 20:40, Peter Bernard Ladkin wrote:
>
>
>
> It`'s hard to believe. Does stuff like this happen in the safety-critical
> area to leading companies still?
>
>
>
> I appreciate that these may not be because of a lack of static analysis,
but
> this caught my eye a little while back:
>
>
http://www.computerweekly.com/news/2240207488/US-researchers-find-25-securit
> y-vulnerabilities-in-SCADA-systems
>
> And it was interesting to see this mentioned in the Graham Cluley blog
> linked from The Guardian article.
>
> ReVuln's website declares that it can provide details of undisclosed and
> unpatched vulnerabilities in SCADA/HMI/ICS systems. These are the types of
> industrial control systems which are used by critical infrastructure such
as
> water treatment, power stations and gas pipelines.
>
> Mike
>
> Mike Rothon M::+44 7718 209010 mike.rothon at certisa.com
> Certisa is ISO 9001:2008 certified for Safety, Testing, Documentation and
> Certification
> Contact: T::+44 1932 889 442 F::+44 1932 918 118  www.certisa.com
> <http://www.certisa.com/>
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>

-- 
Derek M. Jones                  tel: +44 (0) 1252 520 667
Knowledge Software Ltd          blog:shape-of-code.coding-guidelines.com
Software analysis               http://www.knosof.co.uk
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE



More information about the systemsafety mailing list