McCabe cyclomatic complexity
Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems mccabe.com
McCabe IQ Research Library mccabe.com
QualityLevelAgreement.doc mccabe.com
[...]"Cyclomatic Complexity- A measure of the amount of logic in a code module, which is best defined as a Method, Procedure, Control, Section or Paragraph depending upon the programming language. If Cyclomatic Complexity is excessively high, it leads to impenetrable code, which is higher risk due to difficulty in comprehension and testing. The commonly used threshold is 10. When the Cyclomatic complexity of a given module exceeds 10, the likelihood of the code being unreliable is higher. A high Cyclomatic Complexity indicates decreased quality in the code resulting in increased defects that become costly to fix."
Software Quality Metrics To Identify Risk presentation, mccabe.com
The higher the complexity the more bugs. The more bugs the more security flaws
Cyclomatic Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Many experts point out that security requirements resemble those for any other computing task, with one seemingly insignificant difference ... whereas most requirements say "the system will do this," security requirements add the phrase "and nothing more."
Note - can't find this on nist.gov?
Halstead metrics
The volume of a function should be at least 20 and at most 1000. The volume of a parameterless one-line function that is not empty is about 20.
The volume of a file should be at least 100 and at most 8000. These limits are based on volumes measured for files whose LOCpro and v(G) are near their recommended limits.