Average number of exploitable bugs per thousand lines of code?
Any number you get is going to be fairly meaningless -- some factors to consider:
Programming Language - Some languages let you do very unsafe things; e.g., C makes you directly allocate memory, do pointer arithmetic, has null terminated strings, so introduces many potential security flaws that safer (but slightly slower) languages like ruby/python do not allow. Purpose of application? What type of coder/code review?
Type of Application - if a non-malicious programmer writes a relatively complex angry bird type game in Java (not using
unsafe
module), there a very good chance there aren't any "exploitable" bugs -- especially after testing; with the possible exception of being able to crash the program. A web application in PHP written by amateurs, has a good chance of having various exploitable flaws (SQL injection, cross-site scripting, bad session management, weak hashing, remote file inclusion, etc.).Programmer expertise at writing secure code. If you hire a high school student with no past experience to code up some web application, there's a reasonable chance they'll be major flaws.
Furthermore, counting the number of "exploitable" bugs is not a straightforward task either; if finding bugs was straightforward they'd be removed in code review. Sometimes many bugs only arise due to subtle race conditions or complex interactions among programs/libraries.
However, if you take open-source projects, its fairly easy to find a count of LoC at ohloh.net and a count of "exploitable" vulnerabilities at cvedetails.com (I arbitrarily defined 'exploitable' as CVSS over 7). I randomly decided to look at some web browsers, programming languages, and web frameworks and found:
Web Browsers:
- Google Chrome 380 CVE with 6 239 930 LoC so 0.06 vulnerabilities per thousand LoC.
- Firefox 395 CVE in 8 000 969 LoC at rate 0.05 per 1000 lines of code.
open source programming languages:
- python with 3 exploitable CVSS>=7) in 862 830 lines of code at a rate of 0.003
- Ruby 13 CVSS >= 7 in 171 122 LoC at a rate of 0.08
- PHP with 122 exploitable CVSS>=7 in 3 761 587 lines of code at a rate of 0.03 (factor of ten worse than python).
Web Frameworks:
- django with 1 exploitable CVSS >= 7 in 149 292 LoC at a rate of 0.007.
- Ruby on Rails 7 exploitable CVSS >= 7 in 156 317 LoC at a rate of 0.05.
So again for these specific major programming projects (likely written by expert programmers) found rates of major exploitable vulnerabilities at a rate of 0.003 to 0.08 per 1000 LoC. (Or 1 per 12 500 - 300 000 LoC). I would necessarily extrapolate to non major open source projects.
As someone who security tests web apps for fun and profit the security defects per thousand lines is way higher in common open source web apps than the 0.08 figure quoted. Presumably the issue is CVEs record only security defects found and reported via the relevant channels, you need metrics where the code has undergone systematic reviews so that at least low hanging security defects have been detected, otherwise what you are measuring is some fraction of the testing effort.