Talk:Team 7 Main

Hey y'all, we should get this paper going. I'm looking at fixing up Keunwoo's technical write-up, with an eye toward including part of it in the final report.

Feedback for Details: Defenses

Keunwoo Lee 01:00, 24 October 2005 (PDT): I have some doubts about the optimistic tone of this:

• Not all software engineers are passionate about improving software quality. MS is probably "best of breed" (or pretty close) right now w.r.t. industrial software quality processes, but I am skeptical that this generalizes to the entire industry.
• Even where developers care, the question of whether vulnerabilities to this class of attacks will be fixed depends on many other factors. What convinces a manager or business that fixing buffer overflow bugs, or paying for and deploying software without buffer overflow bugs, is a non-negotiable goal? How do you trade off the costs of fixing buffer overflows vs. achieving other objectives?

[AGH] I decided last night, I'm going to talk about this more in terms of free market demand.

• Could you source the "10-20%" figure for hiring better programmers and managers? What's the pay differential between, say, a top Microsoft engineer (leaving aside stock options and such) versus a grunt C/C++ coder at some random Windows OEM software shop? I suspect it's a lot more than 20%, so your figure must be based on some other comparison --- which might be OK, but you should source it and explicitly justify why you use this estimate.

[AGH] I didn't think too much about this, but average cost of a developer in a year is roughly 300k. I'm not sure if that's nationwide or just at MS or just in Seattle, but it serves as a ballpark figure. I figure if the 90 percentile developer makes 50k more in salary than an average developer, that's an additional 18% cost.

It's hard to address this all in one short document. These are just some initial reactions.