That young whippersnapper Dave Maynor (whose receding hairline is a symptom of performance-degrading drugs and not age) tries to equate my points about SDL with my views on bugfinding. (He must be hurting for work folks, help the poor child out so he doesn't need his allowance anymore, I say!)
I guess I need to clarify my point and then try to address his. First, my point was simply about the relationship between SDL success and the metric used to measure it. At one level, Dave is right that Microsoft can pick whatever metric they want to determine success. But that is more true for internal metrics than it is for public ones that are intended as marketing propaganda used to take swipes against its competitors.
So, the metric "publicly-found and disclosed vulnerabilities" is almost by definition incomplete, since there are presumably many more bugs found in private during the development cycle that would apply to the SDL. And when you have access to more data to make it complete you should use that data to measure success. That is my point. Simple.
(Let me take a quick step back to say that my belief is that the most prominent feature of SDL has always been to get the developers to write better code and less about designing better software or enticing enemies with $$$ so they will stay under NDA while finding vulnerabilities. Even if that isn't the case, my comments hold but even more so if this is true.)
What I am trying to figure out is why the little guy thinks this has something to do with bugfinding. Which it doesn't. Anyone care to enlighten me?
[It was very timely for Dave to point out that every day I get a day older, since I was looking at Twitter yesterday and feeling old because it seems like so much noise to me...]