[so_real]

Hey, an eclectic topic for FR ! :-)

In short, you measure how many lines of code a system -- be it bare metal, VM, or container -- uses to run a given application. The more code it runs, the more likely it is to have a HAP-level security hole.

I have a problem with this as a metric. In my opinion all assumptions derived from this are suspect. This measurement presumes all programmers are equal, and all code auditors are equal, and all code up the chain has been equally programmed and audited.

Only in the liberal fantasy world do all people remain equal throughout adulthood. There are gifted folks and there are folks who make a living programming that should never have access to a keyboard. Some code gets audited by an intelligent eye, some code is never seen by an auditor.

The quality of a software product does not necessarily decline as the lines of code increase.

[dayglored]

> I have a problem with this as a metric.

#MeToo

> In my opinion all assumptions derived from this are suspect. This measurement presumes all programmers are equal, and all code auditors are equal, and all code up the chain has been equally programmed and audited.

It's worse than that. Maybe one could posit that, "on average", more code means more bugs, but only over a huge amount of code.

The problem is that people will take this metric and apply it to small individual cases. An average generalization that only makes sense over millions of lines of code simply cannot be applied to individual cases.

Consider: "On average", adult men are (say) 5'8" tall. And how many men in any given population are 5'8" tall? A tiny percentage. All the rest are taller or shorter, and that's the vast majority.

[beef]

This HAP metric is way oversimplified. I would regard this as a concept that can be worked into the executive summary of an expensive product or service.