Microsoft's Mythical Man Years
from the misleading-the-public dept
Salon takes Microsoft to task for claiming that they’re putting more “man-years” of reviews into the security of their code than the open source community ever has. The article first points out that it’s pretty well established these days that throwing more developers at a particular project doesn’t tend to make it better or faster – and in fact can do just the opposite. More importantly, he talks about the basic nature of how security checks are done on open source code – which is that a ton of real life tests are thrown at it very quickly. The stress testing is real – and as soon as an error is found, it’s possible to figure out where the hole was and work on fixing it. Testers get prestige for finding and fixing holes. In Microsoft’s world, no matter how many “man-years” they throw at it, they’re testing stuff in a lab – and not the real world. Even worse, you’re left trusting Microsoft that they’ve fixed the holes, rather than being able to check for yourself in open source code. It’s nice that Microsoft is trying to improve their “trustworthiness” – but they shouldn’t mislead the public about the effectiveness of their methods.
Comments on “Microsoft's Mythical Man Years”
Mythical Man Month doesn't apply to QA
The concept of the “Mythical Man Month”, while very true regarding actual developers, does not, in my experience, apply to QA. You *can* throw more QA at a product and increase its stability/security, as long as the development process remains *controlled* as before, with roughly the same number of developers.
I still don’t trust MS though 🙂