# Eugene Bobukh's Blog

Bringing science and software security together
• #### Equation of a Fuzzing Curve -- Part 2/2

Follow-up notes and discussion See Part 1 here . Can you predict how many bugs will be found at infinity? No. There seems to be a fundamental limit on fuzzing curve extrapolation. To see that, consider bug distribution function of...
• #### Equation of a Fuzzing Curve -- Part 1/2

Equation of a Fuzzing Curve Introduction While fuzzing, you may need to extrapolate or describe analytically a "fuzzing curve", which is the dependency between the number of bugs found and the count of fuzzing inputs. Here I will share my...
• #### Estimating Hidden Bug Count -- Part 3/3

Part 4: Step By Step Guide This is just a summary of the previous chapters as a flow chart ( click here for the derivation of the method ): Here variable meanings are: External bugs, or E – the count of active (not fixed) bugs reported...
• #### Estimating Hidden Bug Count -- Part 2/3

Previous part: introduction and simpler theory Next: Flowchart Summary and Limitations Part 3: Harsh Reality That simple logic is nice, but practice makes it questionable for at least two reasons: Bugs found by either...
• #### Estimating Hidden Bug Count -- Part 1/3

Part 1: Introduction and Basic Theory Part 2: Accounting for Bug Fixes Part 3: Flowchart Summary and Limitations Part 1: Introduction Probably every piece of software has some defects in it. Known defects (also called...
• #### Practice and Theory of Security Reviews -- Part 3

Problem introduction and disclaimer . Security Review Heuristics Zoo . Part 3 -- Reflections Or rather a few closing notes... Can you quantify "product security"? Usually when people start talking about "X being 23% more secure than Y"...
• #### Security Reviews: The Heuristics Zoo, Part 2/2

Introduction (Part I) The Heuristics Zoo, Part 1/2 Note: standard Disclaimer expressed in Part I applies here as well. Heuristic 5: "Area Expertise" and "Penetration Testing" These two seemingly different techniques share a lot in how they...
• #### Security Reviews: The Heuristics Zoo, Part 1/2

Initially meant to fit into one chapter, this text grew quickly and I had to split it into two. So there will be four parts of the article in total. Introduction (or Part I) is here. <Disclaimer>By no means this list is "complete". I think...
• #### Practice and Theory of Security Reviews

Click here if you want' to skip all the theory and just go to the Security Reviews Heuristics Zoo If you are a software security professional, you might've been asked sometimes to conduct a "security design review". If you felt lost at that point,...
• #### More on 2.0 changes: Delegates Security

================================= The text below is provided "AS IS", without any responsibilities attached to it. It represents author's personal opinion and knowledge, and does not necessarily reflect recommended best practices of Microsoft. Author...
• #### FullTrust means Full Trust

The text below is provided "AS IS", without any responsibilities attached to it. It represents author's personal opinion and knowledge, and does not necessarily reflect recommended best practices of Microsoft. Author does not assume any responsibility...