SLOC Method of judging Comp Sec.
Results 1 to 2 of 2

Thread: SLOC Method of judging Comp Sec.

  1. #1
    Senior Member
    Join Date
    Jan 2003

    SLOC Method of judging Comp Sec.

    Hey Hey,

    Sometimes I'm really amazed by things that happen in this city, anyways.... this was an article that appeared in our paper. It's not very often we get a lot of high tech stuff, so something of this magnitude is very cool. I figured I'd post it here for everyone to see... I realize it's not much of a read, but I figured you may enjoy it anyways.

    Often, references are made to the number of vulnerabilities likely to exist in a software program based on the SLOC number. Based strictly on the SLOC number, the growth in size of Microsoft's Windows operating system would raise significant concern. Windows is estimated to have increased to 40 million lines in Windows XP from 20 million lines in the Windows NT 5.0 version.
    The rest of the article is available here:

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Looks like a pretty fair analysis to me (I particularly liked "NT5", because that is what Win2k really is )

    In the old days the SLOC metric was used to measure programmer productivity, efficiency and for project estimating............... NOT security.

    OK there is the argument that the more complex something is, the more likely it is to have flaws. But this should be tempered with a consideration of how much of the code is core and how much is just "bells and whistles" fancy GUI stuff for example.

    Another thought is how coherent and managed the development was. Hell I have worked on programs 4,000 to 6,000 lines long, that have been developed by different people over a number of years...............they were hell to support and maintain (no proper development documentation of course )

    In the case of XP, it represents the merging of the M$ domestic and commercial OSes, so I guess it would have grown quite a bit, but I wonder how much of that is really "new" and is functional as opposed to cosmetic?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts