Open source software security

The Extra Nine Times

30 November -0001

In his book 'The Mythical Man Month' Fred Brooks asserts that it takes nine times more effort to produce a consumable software system than it does to produce a program for internal use. This means that a programmer might create a program that does something for personal use in an hour, but to package that program into an application that others can use would take nine hours. At first blush this seems like a gross overstatement. After all, if a program works for one person, why wouldn't it work for others? I think this is a misguided assumption that many open source developers make and is perhaps one reason why open source software has such a bad rap. When one stops to consider the effort it really takes to make a software product the time/effort discrepancy becomes quite understandable.

In order to make a software product suitable for general consumption one has to take the time to produce all the extra bits and pieces of the system that we generally skip over when hacking for personal use. Things like unit tests, documentation (especially JavaDoc or PHPDoc), deployment scripts, help texts, regression tests, installers, good user interface, and so on are vital to a smooth presentation to varied end users. Many open source products lack these features and it shows. Consumers have come to expect these sorts of things from commercial software packages for a reason. They make life easier for the end user both in terms of use and maintenance of a system. But when you stop and consider the extra effort it takes to produce these "features" you can quickly see how the time can add up.

Making sure your application is well documented, installs and runs properly, and is easy to use takes a lot of effort. This is a valuable investment, however. Many developers skimp on these tasks figuring that they will be able to remember how the system works. Anyone who has come back to a program a year after they last used it can attest to the inaccuracy of this assumption. Developing the extra "nine times" will ensure continued use, even if it is just personal. Not only that, but it's these finishes that make a quality product - something anyone can recognize. Producing quality is a matter of pride for many developers, but few recognize how to go about it. Consider this when developing your next software project, and take the time to make your product a quality one.