« WabiSabiLabi Update | Main | ISS outs Trend Micro »

Is Microsoft's SDL Working?

I have been critical in the past of Microsoft's supporting evidence for its argument that its Security Development Lifecycle was working. Mind you, I generally assume that it is working, but am just not swayed by the data. So imagine my interest when I came across this tidbit on page 28 of its 150-page Security Intelligence Report for the first half of 2008:

"In general, trends for Microsoft vulnerability disclosures have mirrored those for the industry as
a whole, though on a much smaller scale."


So, if Microsoft is trending consistent with everyone else, then it is more difficult to see the benefit of SDL... This is one of the problems with using public disclosure data - it is inherently fickle and can't tell you nearly as much as, say, internal QA data.

I assume there is a different explanation since I haven't waded through the entire report yet. In any case, it seemed worth mentioning.

November 04, 2008 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345207f669e2010535d37324970b

Listed below are links to weblogs that reference Is Microsoft's SDL Working?:

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment