Comments on: Another Envelope: Vulnerability Growth Rates http://spiresecurity.com/?p=189 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Pete http://spiresecurity.com/?p=189&cpage=1#comment-268 Pete Wed, 07 May 2008 12:49:51 +0000 http://spiresecurity.com/blog/?p=189#comment-268 @Ilja -

I agree that estimation can be challenging. I also think it is worthwhile to add more precision to lines of reasoning (even if they are not yet accurate). In the absence of doing confidence interval work, I opted for something I thought was conservative. Judging from your thoughts on this, I got what I wanted.

Regarding your points about programmers – don’t forget there are a lot of other things programmers do that don’t involve coding. We are shooting for the final product over an extended time. So, if a programmer really only codes 4 hours a day and rewrites 25% of his/her code, those numbers can be affected significantly.

I think we can all get better at this if we keep trying (not necessarily for this specific case, but for estimation in security in general). I know the first time you do it, it seems difficult, so I appreciate you not just saying “its impossible” and actually taking a stab at it.

Thanks.

]]> By: ilja http://spiresecurity.com/?p=189&cpage=1#comment-267 ilja Wed, 07 May 2008 11:46:52 +0000 http://spiresecurity.com/blog/?p=189#comment-267 Hey Pete,
I don’t think I have better numbers, I really don’t know the numbers. And I think getting some of these numbers even in the same ballpark as the actual numbers would probably be hard. I guess it’s just a gut feeling. but 2 million programmers in the world ? if I’d have to make A guess, India alone could probably account for those 2 million. Then again, I could be way off. The same with those 1 bug in 10000 lines of code. It just doesnt sound right to me, I’d be more inclined to say 1 to 1000 (and I’m not alone here) but again, I could be way off. An average dev doing 25 lines of code a day ? I hope that number is really bogus. it has to be. that means on an average 8 hour workday they’d write 3 lines of code an hour ? I would go for atleast 100 a day, but again, I could be way off. My point is that we’re both probably way off and the outcome (using either your or my gueeses) is probably not realistic at all.

]]> By: Pete http://spiresecurity.com/?p=189&cpage=1#comment-266 Pete Wed, 07 May 2008 03:02:14 +0000 http://spiresecurity.com/blog/?p=189#comment-266 @Ilja -

I hope you mean they are very conservative. In any case, I would love to know what numbers you think are more reasonable.

]]> By: ilja http://spiresecurity.com/?p=189&cpage=1#comment-265 ilja Wed, 07 May 2008 01:34:55 +0000 http://spiresecurity.com/blog/?p=189#comment-265 dude, that must have been some good shit you were smoking when you typed that. 25loc a day ? 2 million programmers in the world ? 1 bug on ever 10kloc (so with those stats you’re saying the average dev makes 1 bug per year ??) those number just have to be bogus. they dont even sound remotely realistic.

]]>