Microsoft can, and should, provide more insight into how well its security development life cycle is working.
April 21, 2008
Microsoft can, and should, provide more insight into how well its security development life cycle is working.Burton Group security analyst Pete Lindstrom set the security blogoshere ablaze with his post Microsoft's SDL has Saved the World!. David Maynor at Errata Security calls Lindstrom an old man. While Michael Howard, a senior security program manager at Microsoft responded here.
At issue isn't the value of improving software development processes to incorporate security throughout the development life cycle. What's at issue is whether or not Microsoft's SDL has improved the security of its software when it's shipped at GA. I certainly believe it has come a long way since this day (link), and that Microsoft is using public vulnerability discovery counts as its measurement of success.
Lindstrom makes a number of points, some are dubious, others are worth consideration as to why the number of publicly discovered vulnerabilities is on the wane. And not all of these have anything to do with an improvement in development:
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024