Comments on: Microsoft’s SDL has Saved the World!!

By: ms access

ms access — Mon, 03 Aug 2009 22:18:09 +0000

Good job, Microsoft!

/sarcasm

By: Balbus

Balbus — Mon, 21 Apr 2008 17:48:31 +0000

I don’t think people are communicating. Suppose SDL resulted in less secure product but “vocal critics” found huge numbers of vulnerabilities that were found, fixed before the release and not reported. Yes, the product may be more secure, but it would be due to more comprehensive testing by “vocal critics” and subsequent fixing rather than SDL. Because we don’t know how many vulnerabilities were found post development from all sources in Vista and its predecessors, we can’t use found vulnerabilities as an indication of SDL’s effectiveness.

By: Spire Security Viewpoint

Spire Security Viewpoint — Mon, 21 Apr 2008 14:45:37 +0000

Microsoft’s SDL – a second look

[This whole Microsoft Security Development Lifecycle issue is really pretty surreal – if someone had told me five years ago that a bunch of bugfinders would be defending Microsoft while I pointed out inconsistencies with what they were saying, I would …

By: The Security Development Lifecycle

The Security Development Lifecycle — Fri, 18 Apr 2008 13:08:09 +0000

Oh No! Security Metrics!

Hello, Michael here. A colleague sent me a link to a blog post from a couple of days ago: Pete Lindstrom

By: Pete

Pete — Thu, 17 Apr 2008 22:17:41 +0000

@Ryan -

My whole point is that the “ifs” and the “hand-waving” you mention could be answered definitively by Microsoft.

I can’t really understand where you are going with your argument – I’ve already said I support the SDL and I think it probably worked, but they are using the wrong numbers to demonstrate the success.

It is not clear to me that there is some sort of linear relationship between effort and number of vulnerabilities – I think attack surface and/or code complexity probably factors in. But I reiterate that all of our assumptions would be unnecessary if MS came out with the real numbers.

By: Ryan Russell

Ryan Russell — Thu, 17 Apr 2008 21:03:35 +0000

I was asking about strictly pool size; For convenient-number-size sake, if Office 2003 has 1000 vulns, and Office 2007 has 500 (and everything else being equal) then the vuln finder has to do twice as much something to find 50 vulns in 2007 vs. 2003. Or he doesn’t work any harder or smarter, and only finds 25.

I will agree that “everything else being equal” is extremely hand-wavy, and/or the numbers might be 100,000 and 50,000, making the difference in effort to find 50 a rounding error.

By: Pete

Pete — Thu, 17 Apr 2008 20:44:18 +0000

@Ryan -

No, the number of public vulns doesn’t have to go down as well. I should mention that I am skeptical that there are a lot of silent fixes being applied, but a) public bugfinding is random in its focus of attention and amount of resources applied to the problem; and b) we have no information about the number of vulns that were found during development and QA.

According to ISS, the total number of vulns found overall is going down, and they are attributing it to everything BUT better coding. I am pretty sure that not everyone is trained in Microsoft’s SDL, so determining cause and effect is extremely difficult.

By: Ryan Russell

Ryan Russell — Thu, 17 Apr 2008 20:16:32 +0000

If the total number of vulns if going down, doesn’t that mean the number of public vulns has to go down as well? Or do the publishers increase effort to keep the number of things they publish constant?

Asking strictly as an indicator, not yet whether it’s a good idea.

By: Pete

Pete — Thu, 17 Apr 2008 19:57:50 +0000

@Ryan – Yes, I am a fan of SDL; yes, the purpose is more secure software; yes, a smaller number of total vulns is an indicator of more secure software; no, I don’t believe there is a correlation between public vulns and total vulns.

Public vuln-finding is an ugly contest and MS isn’t winning this anymore because they’ve bribed the judges.

By: Spire Security Viewpoint

Spire Security Viewpoint — Thu, 17 Apr 2008 19:54:28 +0000

Dave Maynor has Saved the World!!

That young whippersnapper Dave Maynor (whose receding hairline is a symptom of performance-degrading drugs and not age) tries to equate my points about SDL with my views on bugfinding. (He must be hurting for work folks, help the poor child out so he d…