How long will it take to audit 29k lines of Drupal code?

A client is asking how long does it take to audit the security of his Drupal module开发者_Go百科 that is 29k lines long. Does anyone know at least what ballpark I should give him? His main concerns are file encryption and user permission.

Nope, not a damn clue :-)

However, whatever value you choose, may I suggest one thing?

Monitor your progress! Tell your client that your initial estimate is (for example) twenty-nine working days but that it depends on a great many factors outside your control.

Tell them you plan to mitigate risks of budget overrun by providing a daily snapshot of progress:

• current number of lines audited in total [a].
• days spent [b].
• current "run rate" (number of lines per day, average) [c = a/b].
• number of lines yet to be audited [d = 29,000 - a].
• estimated days to completion [e = d / c].

Allow them to pull the plug at any time if the run rate is well below what you estimated.

This basic project management/reporting should give them the confidence that you know what you're doing, and will minimise their exposure considerably, to the point where they'll feel a lot more comfortable about taking you on.

Just on that last bullet point above, you may want to consider giving them a range (say +/-5% of the estimate), but don't get too clever about working out best and worst case based on your best and worst days to date. The power of averaging is that it gives you a "best" guess without having to fiddle too much with figures.

Typical estimates I've seen are that you can expect a developer to review 100-150 lines of code per hour. This is a very rough estimate, and it will vary greatly depending upon the nature of the code and the thoroughness of the review. Also, if you can review code for 8 hours a day, 5 days a week, straight, you're inhuman and amazing; for the rest of us, we need a change of activity to clear the brain.