Thou shalt have no other gods before the ANSI C standard 1588

Trevor L. Jackson, III

I believe there are huge variations in capabilities between the top 5% and the median programmer. Suppose for sake of argument we buttume that this is a 10x factor in productivity. But does this lead to an overall 10x reduction in cost for the project as a whole? Does it lead to an overall 10x reduction in defects for the project as a whole? That's the part I'd particularly like to see supported. In other words, end-to-end measurements.

Yes, that is hard -- but we can at least measure the occurrence rate of defects; the occurrence rate of different kinds of defects, broken down by category; the effect of different kinds of development methodologies, languages, etc. on defect rates; and so on. We can identify root causes and learn from them, as well. We don't need a general "measure of security" to start doing this kind of thing.

Because I don't see many examples of organizations who are very interested in sharing details about defects in software they have built (let alone analysis of the cause of those defects). When such disclosures occur, it is typically because the software producer has little choice -- e.g., an independent researcher has found the defect and is going to publish it no matter what the software producer does.

Open-source projects tend to be different. I'm talking about commercial software development here.