Developing secure software. Was: Re: [Dshield] DCOM morning after

Jon R. Kibler Jon.Kibler at
Wed Aug 13 14:44:05 GMT 2003

Stephane Grobety wrote:
> SV> Why can't Microsoft just make sure that they are stuffs are correctly and
> SV> securely written and coded?
> That's a delusion. Software without bugs doesn't exists. The average
> piece of software, when initially written, has about one bug every 50
> lines of source code when written by a good programmer. With strong QA
> and lots of testing, this number can be changed to one bug every 200
> lines of code, on average. Oh, and that's not Microsoft's code, BTW,
> it's everyone's.

I beg to disagree. I have worked on several large DoD (U.S. Department of Defense) projects during my 30-something years in this business, and NONE of the mission or safety critical projects that strictly followed DoD Software and Systems Engineering Standards EVER had that many (1 per 200 LOC) bugs!

In fact, one weapon systems project I worked on had several million LOC, and at delivery to the customer, it had 6 known bugs. All were fixed and no new software bugs were reported during the first year of deployment.

Developing far less buggy software than is commonly seen today can be easily done. The technology to do so has been available since the early 1970s. 

It is informative to compare how most IT managers view costs vs. how most DoD managers view costs. In IT, management tends to look strictly at development costs. Whereas, DoD tends to look strictly at the life-cycle cost of a system.

Yes, software developed under strict DoD standards and practices is expensive -- typically costing 2 to 5 times the cost of a comparable size commercial system. However, the entire product life-cycle cost of a DoD software system is typically only 20% to 30% that of a commercial system. Why? Support costs are far lower because you are not constantly patching and rebreaking the software.

Good, clean, secure software CAN be written. The only issue is cost.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

More information about the list mailing list