Microsoft's Man-Years Argument


Fully vaccinated are you?
Read it. Quite good!

"I'd be astonished," said Steven B. Lipner, Microsoft's director of security assurance, "if the open-source community has in total done as many man-years of computer security code reviews as we have done in the last two months."

What Lipner was saying, with that Microsoft swagger, was simple: Microsoft has rallied its massive army of smart developers under the banner of "Trustworthy Computing" and turned their overpowering force on its security problem -- the plague of Internet-borne viruses and worms that afflicts many of its products. The problem, like one of Microsoft's competitors, is doomed. No other force on earth -- certainly nothing as puny as a ragtag bunch of volunteer programmers contributing code fixes cooperatively -- could possibly match such might. Die, worms, before the wrath of Gates!

It sounds intimidating. Only, to anyone with a long memory in the software field, the term "man-years" should set off some alarms.  
Technically, Lipner is saying the following: Let X equal the number of individual Microsoft programmers reviewing its products' security, multiplied by the amount of time each has spent on the task. Let Y equal the number of open-source programmers reviewing their software's security, multiplied by the amount of time they have spent on the task. X is way greater than Y. All this rings with the kind of scary precision that cows nontechnical people when they hear it in engineers' voices.

The trouble is, the whole concept of measuring software productivity in "man-years" or "man-months" is profoundly discredited -- and not by some radical new theory of software development, but in what is probably the single most seminal work on software management: Frederick P. Brooks' "The Mythical Man-Month," first published in 1975, when Bill Gates was a stripling and personal computing a dream.

Today, with the software industry a linchpin of the global economy, we tend to think of open source as a radical new challenge to the Microsoft-style norm. So it's useful, in looking back at a classic like Brooks' "Mythical Man-Month," to be reminded that -- in the days before Gates and company built their empire on operating-system software -- open source was once considered simple common sense.

In Brooks' day, a program had no general value -- was not considered a true "programming product," in Brooks' words -- unless it could be "run, tested, repaired, and extended by anybody." (The italics are mine.) Such programming "products" require "thorough documentation, so that anyone may use it, fix it, and extend it." To Brooks, and many other software experts of his era, if the programmer hadn't enabled anyone to fix or extend his work, he hadn't finished his job.

Microsoft takes a different view -- always has. With its vast resources, Microsoft can afford more "man-years" than anyone else on earth. But can it rewrite principles of the software business first identified nearly 30 years ago?

The answer will become plain as the results of the "trustworthy computing" project emerge. If the torrent of security gaffes in Microsoft products vanishes, we can applaud Redmond's intrepid troops. But if we're still battling the spawn of the NIMDA and Code Red worms in a year or two, it's time to stop trusting Bill Gates for good.


You get what you measure


Thanks for linking to such an excellent article!

The thing I immediately thought of is that what gets measured is what gets produced. At Micro$oft and too many other big corporations, what gets measured is more on the lines of conformance to deadlines and "use the tools we gave you, not the ones best for the job" rather than anything to do with product/service quality as seen by the customer.

(I also thought "gee! I'm not the only person who still has a copy of "The Mythical Man-Month" on his shelf!)

Open sharing of ideas always has great benefits for all of the participants, as is clearly exemplified here in The Cove! :D



Fully vaccinated are you?
What kills me is the rhetoric and BS. When you parse the verbiage and evaluate the facts it all falls apart. The 'promo' depends upon the ignorance of the 'masses'.

The same effect is seen in many companies - I've seen it many times working as a contract employee, as much as I hate to admit it...

I never read the book but heard of the theory and knew it was not confined to software.
Top Bottom