That young whippersnapper Dave Maynor (whose receding hairline is a symptom of performance-degrading drugs and not age) tries to equate my points about SDL with my views on bugfinding. (He must be hurting for work folks, help the poor child out so he doesn't need his allowance anymore, I say!)
I guess I need to clarify my point and then try to address his. First, my point was simply about the relationship between SDL success and the metric used to measure it. At one level, Dave is right that Microsoft can pick whatever metric they want to determine success. But that is more true for internal metrics than it is for public ones that are intended as marketing propaganda used to take swipes against its competitors.
So, the metric "publicly-found and disclosed vulnerabilities" is almost by definition incomplete, since there are presumably many more bugs found in private during the development cycle that would apply to the SDL. And when you have access to more data to make it complete you should use that data to measure success. That is my point. Simple.
(Let me take a quick step back to say that my belief is that the most prominent feature of SDL has always been to get the developers to write better code and less about designing better software or enticing enemies with $$$ so they will stay under NDA while finding vulnerabilities. Even if that isn't the case, my comments hold but even more so if this is true.)
What I am trying to figure out is why the little guy thinks this has something to do with bugfinding. Which it doesn't. Anyone care to enlighten me?
[It was very timely for Dave to point out that every day I get a day older, since I was looking at Twitter yesterday and feeling old because it seems like so much noise to me...]
I'm with you Pete. Perhaps in this case Dave just can't read?
Its quite simple really.
Software Security = number of vulns
Number of vulns found and publicly disclosed != software security
Seems like pretty simple logic.
Posted by: Andy | April 17, 2008 at 04:18 PM
dude, get on twitter and quit the moaning :)
_r
PS: maynor is spectacularly wrong.
Posted by: Ryan Naraine | April 18, 2008 at 08:13 AM
I think your missing one of the vital parts of SDL. Which is the focus on internal security testing and a focus on secure design (not just implementation). The fact that these catch security bugs or catch insecure features before they are released to customers reduce the number of total vulnerabilities in the release version which reduces the number of publicly disclosed vulnerabilities.
I think this is as good a metric as you can come up with to measure the success of the SDL.
Posted by: Patrick Boyd | April 18, 2008 at 11:10 AM
Wow. You are an idiot. Why would you compare a not released version of Oracle with a Non-Released version of SQL. Umm. You wouldn't. Whether your talking about Vulnerabilities bugs. You vet the code for all of these. You find these things before it's release.
Oh, I get it. You're an Open-Source fan and basically all Open-Source is 'work-in-progress' so ...
And Andy... "in private during the development cycle" = you'll never see it. Duh.
Posted by: Terje | April 18, 2008 at 12:10 PM
I wrote a piece about this because I think there is some confusion about who the metrics are for. Audience matters.
http://securityretentive.blogspot.com/2008/04/metrics-and-audience.html
Posted by: Andy Steingruebl | April 19, 2008 at 08:49 PM
I think this is as good a metric as you can come up with to measure the success of the SDL.
Posted by: football customized jerseys | February 11, 2011 at 04:43 AM