- [A1] Bureau of Labor Statistics (BLS) says: 435,000 computer programmers in the U.S. (projected to decrease over ten years, interestingly). How many in the world? Let’s use 2 million (reasonable?).
- [A2] Various sources suggest 5 – 10 KLOC per developer per year. Let’s use 6 KLOC/YR, 500 LOC/Month; 25 LOC/wkday.
- [A3] Previously, we settled on 1 security defect per 10,000 lines of code.
- [A4] IBM X-force says: 6,437 vulnerabilities found in 2007. Let’s use 10,000 (conservative for our calculations and to account for suggested aggregation of vulnerabilities). That’s 840/month; 40/wkday (that seems high to me – maybe 10k wasn’t a good idea).
- [A5] SWAG says 1,000 skilled bugfinders in the world with 5 bugs in their back pocket at any given time.
- [C1] Number of new lines of code created every day — 2m * 25 = 50 million [A1]*[A2]
- [C2] Number of new vulnerabilities created every day — 50m / 10k = 5,000 [C1]/[A3]
- [C3] % of new vulnerabilities eventually found — 40/5000 = .8% (99.2% of vulns remain undisclosed, mostly undiscovered). [A4]/[C2]