Dealing with complexity is the third most important concern for software engineers. This wonderful paper proposes that “complexity, coupling, and cohesion [...] can be measured and used to evaluate the quality of software.”

Table 2 is a terrific compilation of the notions of software complexity. The skills of the development staff and the size of the project must be managed first, before complexity can be addressed. I would have liked to see a distinction being made between processing and interfacing objects, components, and modules.

Chowdhury and Zulkernine report in this paper on the application of a complexity, coupling, and cohesion metric to five releases of Mozilla Firefox code, with interesting results. But in order to prove their general utility, the metrics should also be applied to other bodies of code.

The finding in Section 3.3.1 that “inheritance complexity can be used as a good indicator of vulnerabilities in Mozilla Firefox” fits with my software engineering prescriptions that minimize inheritance to very few object classes that have more than two levels: “no more than one third [of the objects] should have an inheritance level of more than 3” [1].

Section 3.3.5 tests stability across releases in a quite innovative way. The paper offers a modest yet insightful suggestion that “security assessment can be directed to highly complex, coupled and non-cohesive areas of software, as they are more likely to be vulnerable security threats.”

In conclusion, this paper is an important, must-read work for software engineers and a good reference.