I have been critical in the past of Microsoft's supporting evidence for its argument that its Security Development Lifecycle was working. Mind you, I generally assume that it is working, but am just not swayed by the data. So imagine my interest when I came across this tidbit on page 28 of its 150-page Security Intelligence Report for the first half of 2008:
a whole, though on a much smaller scale."
So, if Microsoft is trending consistent with everyone else, then it is more difficult to see the benefit of SDL… This is one of the problems with using public disclosure data – it is inherently fickle and can't tell you nearly as much as, say, internal QA data.
I assume there is a different explanation since I haven't waded through the entire report yet. In any case, it seemed worth mentioning.