264 Core Software Security
9.1.1 Produce Secure Code
Every program has (at least) two purposes: the one for which it was
written and another for which it wasn’t.
1
If software engineers, those who write software, could produce correct,
error-free code, there would be far less of a software security problem.*
And with only correct software there is no need for all the non-design
related tasks of the SDL. At the risk of stating the obvious, writing correct
code has always been difficult, even without security considerations.
Since the dawn of the software industry, when software engineers adopted
the term “bug,” meaning “software error,” engineers have struggled to
produce code that is correct, both logically and without runtime error.
Inferring from the vast experience of all the software that has been writ-
ten, we can conclude that writing error-free code is very, very difficult.
It’s not impossible, but it remains an expensive ideal rather than a norm.
Realizing the error-prone nature of producing code, software engi-
neers have attempted to find a metric that shows how dependable and
error-free any particular piece of code might be. One measure is the num-
ber of defects, “bugs,” per line of code written. It is generally accepted
that production software contains approximately 1 error per 1000 lines
of code. This is a very general statistic. It is possible to produce software
that has far fewer errors; one need look only at critical space mission or
military software, which often must adhere to much stricter defect limits.
And, of course, poorly written software may have orders of magnitude
more errors than 1 in 1000. Generally, however, there are errors in any
moderately complex piece of code. As far as we can tell today, there is no
way for us to ensure that 100 percent of the software or security errors
will be eliminated before software is released. The best approach is to go
through the required SDL activities (see below, determining questions) to
ensure that most of the errors can be caught and fixed before a product
is deployed or sold. If errors are found after software release, one should
* There would still logical errors, errors of architecture and design omission and com-
mission. Logical errors are not dependent upon correct code. It is quite possible to
insecurely specify, and then code that mistake correctly to the specification. That
is, it is possible to correctly follow the incorrect specification and introduce a logical
vulnerability.