April 22nd, 2004, 11:47 PM
SLOC Method of judging Comp Sec.
Sometimes I'm really amazed by things that happen in this city, anyways.... this was an article that appeared in our paper. It's not very often we get a lot of high tech stuff, so something of this magnitude is very cool. I figured I'd post it here for everyone to see... I realize it's not much of a read, but I figured you may enjoy it anyways.
The rest of the article is available here: http://www.canoe.ca/NewsStand/London...22/431400.html
Often, references are made to the number of vulnerabilities likely to exist in a software program based on the SLOC number. Based strictly on the SLOC number, the growth in size of Microsoft's Windows operating system would raise significant concern. Windows is estimated to have increased to 40 million lines in Windows XP from 20 million lines in the Windows NT 5.0 version.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
April 23rd, 2004, 12:18 AM
Looks like a pretty fair analysis to me (I particularly liked "NT5", because that is what Win2k really is )
In the old days the SLOC metric was used to measure programmer productivity, efficiency and for project estimating............... NOT security.
OK there is the argument that the more complex something is, the more likely it is to have flaws. But this should be tempered with a consideration of how much of the code is core and how much is just "bells and whistles" fancy GUI stuff for example.
Another thought is how coherent and managed the development was. Hell I have worked on programs 4,000 to 6,000 lines long, that have been developed by different people over a number of years...............they were hell to support and maintain (no proper development documentation of course )
In the case of XP, it represents the merging of the M$ domestic and commercial OSes, so I guess it would have grown quite a bit, but I wonder how much of that is really "new" and is functional as opposed to cosmetic?