« OWASP CISO Panel
Consumer Application Security or Enterprise Application Security ? »

NSA Posts Secrets to Writing Secure Code – Write at 38 LOC Per Day

The National Security Agency has released a case study showing how to cost-effectively develop code with zero defects. If adopted widely, the practices advocated in the case study could help make commercial software programs more reliable and less vulnerable to attack, the researchers of the project conclude.

The case study is the write-up of an NSA-funded project carried out by the U.K.-based Praxis High Integrity Systems and Spre Inc. NSA commissioned the project, which involved writing code for an access control system, to demonstrate high-assurance software engineering.

With NSA’s approval, Praxis has posted the project materials, such as requirements, security target, specifications, designs and proofs.

All good until you read this

For this project, three Praxis engineers wrote 10,000 lines of code in 260 person-days, or about 38 lines of code per day.

That’s 38 lines a day for 3 engineers or just shy of 13 lines per engineer per day. An unlucky number for sure for anyone who thinks You could not do that in a commercial company and keep your job! Lets get real.

 

(I haven’t read the whole report, just the headlines in this story)

Explore posts in the same categories: Information Security Economics, Security metrics, Software Development, Software Security, open source

This entry was posted on October 21, 2008 at 7:09 am and is filed under Information Security Economics, Security metrics, Software Development, Software Security, open source. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

5 Comments on “NSA Posts Secrets to Writing Secure Code – Write at 38 LOC Per Day”

  1. Nick Fnord Says:

    October 21, 2008 at 8:59 am

    Hi Mark,

    Perhaps I’ve been lucky with my employers, but over the last 9 years working as an oracle developer, every place I’ve worked has valued quality code over lines per day. Particularly if real-time processes are concerned, they’d rather I sit there all day thinking about the problem and then write 10 lines of high performance SQL for example rather than pounding out 1000′s of lines of procedural logic. Maybe this is more prevalent in places that are trying to glean the highest performance out of an application, and guess I can’t speak for non-database driven applications, but the number of lines of code written should be irrelevant.

    Nick

    Reply
  2. Victor Says:

    October 21, 2008 at 3:41 pm

    You might want to check your maths and update the headline. That was 260 person-days so it’s still 38 LoC per engineer per day.

    To a non-programmer it’s still a pretty low number.

    Reply
  3. mcurphey Says:

    October 21, 2008 at 4:50 pm

    Title and math fixed.

    Reply
  4. Crazy Dave Says:

    October 21, 2008 at 5:32 pm

    If all they were doing is writing 38 LOC a day, then yes they sux. However, if in addition to their 38 LOC they’re writing several 100′s of test cases for those 38 lines…then ok I can believe it…

    Reply
  5. Ted Says:

    October 22, 2008 at 1:52 am

    Zero defects is the target?

    #include

    main()
    {
    printf (“Hello World!\n”);
    }

    There. More complex stuff, all bets are off. All bets are off for this, actually.

    Seems a bit silly. Spaf discussed this 20 years ago.

    Reply

Comment: