[Dailydave] Coverage and a recent paper by L. Suto
Stephen John Smoogen
smooge at gmail.com
Mon Oct 15 18:47:34 EDT 2007
On 10/15/07, matthew wollenweber <mwollenweber at gmail.com> wrote:
> Personally, I don't understand the current trend in fuzzer research to go
> obtain full code coverage. Sure, it's nice to check everything and have a
> fuzzer traverse all the functions in the code, but maybe that's at the cost
> of doing it all poorly. If you have a fixed amount of time to do the
> assessment, I'd rather spend the time where it's needed. As you said, it's
> better to thoroughly test the code in spots where the bugs are.
>
However, when you are hacking someone's brain (eg the core of
marketing/sales) to get someone to buy your product and keep buying
your product... you want to use the magic words. Most big purchases
are going to be done by some mid-level manager who has been asked to
prepare a report on how their code looks towards hacking for some
obscure SOX report.. even if he was a hacker 2 months ago.. he has
been to so many finance meetings that all those cells went to Bermuda
and didn't leave a forwarding address.
In the time-pressed managers brain 100% always sells better than say
10%. Even if you find 100% of the bugs in 10% of the code, and they
find 10% of the bugs in 100% of the code.. saying words like "Complete
code coverage" sits well in managements risk averse mind.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the Dailydave
mailing list