Conferences and supporting programme
Avoiding Unsafe and Insecure Complex Software
In everyday language, the words 'complex' and 'complicated' are synonymous. A complex cake recipe is complicated. But in development circles, software complexity is more specifically concerned with the extent to which a system is difficult to comprehend, modify and test, and not the complication inherent in the function it is designed to fulfil. Two systems equivalent in functionality can therefore differ greatly in their software complexity. And the more complex the code, the more difficult it is to understand, test and maintain, and the more likely it is that problems will arise. The learned committees responsible for functional safety and security standards are unanimous in their distaste for complexity. For example, IEC 61508 and its derivatives include clauses related to Low Complexity Software, and require that evidence of low complexity is presented as part of the certification process. From a security perspective, one of SEI CERT's 'top 10' secure coding practices is to 'keep it simple' and hence avoid complexity. This presentation will discuss why the avoidance of complexity features so highly in the standards, how it is enumerated, and how it can be minimized. It will contend that metrics such as McCabe’s cyclomatic complexity need to be considered in the context of the application itself; more as a comparator than an absolute measure. And it will argue that mission-critical application or not, complexity is a “bad thing” and something to be avoided.
--- Date: 26.02.2019 Time: 3:00 PM - 3:30 PM Location: Conference Counter NCC Ost