I can't believe it, folks - Microsoft has saved the world with its Security Development Lifecycle! Yay! You heard it here first, second, third... (hey, this sensationalistic stuff Michael and Robert promote is fun!)
Here's the straight scoop: Michael Howard, the "father of the SDL," is using Jeff Jones vulnerability counts as proof that the SDL works:
So if Windows Vista has more code than Windows XP SP2, why are we seeing a reduction in vulnerabilities? Simple: the Security Development Lifecycle (SDL)! Microsoft decided to change its development practices to enforce greater security discipline.
My gut reaction: I cannot believe Howard is actually going to suggest that the number of vulnerabilities found by external individuals is an indicator of SDL success. I defend Microsoft's SDL to many people and it is patronizing to see a metric completely abused.
Hmm, just for fun let me see if I can figure out some other reason why vulnerability counts might be down....(1 millisecond later)... Eureka! It could be that,
Microsoft has systematically hired and/or contracted with every one of their most vocal critics (and most seasoned bugfinders) to do the work behind the scenes and they don't count those vulns!
Now, it happens that I think this is a very, very smart thing to do. From a marketing perspective and from a threat control perspective. But it says nothing about the SDL because they don't reflect the real numbers. And it pains me even more to see this:
The only way you reduce security vulnerabilities is by focusing on improving code security, design security, reducing attack surface, education, tracking evolving threats, mandatory use of tools, banning known bad functionality, better compilers, better linkers, better libraries, etc. And that is what the SDL is all about and what our team is laser-focused on.
Just think how MS could have revolutionized the way we think about vulnerabilities. And they give us trash*.
Then, Robert Hensing has to go and "second that emotion" by acting insulted that people don't believe SDL works:
One of the most frustrating things for me is when ignorant non-believers <G> claim that the SDL is all just marketing hype / spin / FUD etc. (as so eloquently captured at the beginning of his article <G> and as the title of this post). It's insulting to me.
I gotta tell you. This stuff is insulting to me, and as a frequent defender of SDL it is even more insulting to be ridiculed the way Microsoft has decided to ridicule those of us who think there are better numbers to be had. I am glad Microsoft has decided these things should be said because it helps divide us even more and makes me realize that I should be more vocal in my concerns.
Could it really be that SDL has done nothing to help MS developers write better code? Could it be that the only thing that makes them "better" is a stronger quality control cycle? There are so many ways they could do a better job proving the efficacy of the SDL that it begs the question why they aren't...
*It's not really that bad, but in context it is truly frustrating to see this stuff.
I will say this in closing. If anyone hates these people it is also sin, and by your hate you bring yourself down to the same level with those who oppose the Lord. It is easy to hate someone, but very hard to love someone who comes against you and your Father. I choose love for Christ and all his people. Does this mean we have roll over and play dead because this law was over turned? Not at all.
Posted by: viagra online | October 05, 2010 at 03:03 PM
Excellent post.....!!! This article is typical of the elegant high society people, even if it is true is to become very fashionable in young people have flooded the market.Thanks
Posted by: viagra online | October 26, 2010 at 01:31 AM
Really Microsoft is always Doing Great Work To make a Life So Easy & Happy. I'm agree with above post... It's very nice topic to be discussed here.... Thanks very much for the share.
Posted by: online generic viagra 100mg | November 02, 2010 at 02:22 AM
A really great article. I found a few starting points that I had noticed was not so before.
Posted by: Sylter | November 17, 2010 at 08:53 AM
Fantabulous, out of this world…great man, you have proved the world that innovation is not lost from the universe. I am so influenced by your way of expression; I think I will work to improve mine…great going dude!!!
Posted by: Generic Viagra | December 21, 2010 at 03:47 AM
I would like, but whenever I do I see some really amazing things keep up the good work! =)
Posted by: custom football jersey | January 18, 2011 at 10:24 PM
The Hanac agency was where I got paid from though. So how do I include them both on my resume, because I was never working AT Hanac, I worked at the hospital. This may sound confusing. If i see any confused answers, I'll try to add more.
Posted by: Health Blog | January 24, 2011 at 06:39 AM
This is a good common sense article. Very helpful to one who is just finding the resouces about this part. It will certainly help educate me.
Posted by: Berberich\ | January 30, 2011 at 11:15 AM
Stimulating and informative post! We'll see where Microsoft ends up at the end of this - I never best against a company like them!
Posted by: Reverse Cell Phone Lookup | February 11, 2011 at 01:39 PM
Well, I never spoke to anyone of the problem until more and can not find professional help, thanx.
Posted by: Tulsa Bankruptcy | February 26, 2011 at 01:59 PM
Microsoft saving the world? You HAVE the be kidding! :)
Posted by: buy viagra | March 07, 2011 at 09:55 PM
http://16098179.blog.hexun.com/
Posted by: snowlin | March 08, 2011 at 03:37 AM
Great inof... thanks for the effort in explaining all of this!
San Diego Real Estate Online provides all of the homes available for sale, including several hundred that are not available to the general public yet... Check out the new foreclosures and make offers before any other buyer!
Please visit at our website:
http://www.sandiegorealestateonline.com/
Posted by: Account Deleted | January 24, 2012 at 12:33 PM