Michael Howard attributes the reduction in Microsoft's total vulnerability share from 3.7% for 2007 to 2.5% for the first half of 2008* to its Security Development Lifecycle:
We’ve seen a general trend downward in security vulnerabilities in Microsoft products, and the IBM X-Force 2008 mid-year report
backs the assertion that we’re making progress; according to the report
Microsoft’s share of total vulnerabilities decreased from 3.7% in 2007
(1st place) to 2.5% (that’s 2.5% for all
Microsoft products; a more appropriate comparison might be Windows vs
Linux vs Mac OSX, or SQL Server vs Oracle vs DB2) in the first 6 months
of 2008 (3rd place.) This is an encouraging signal that the SDL is
working on a large scale… of course, it might also show that
vulnerability researchers are moving to easier targets, which, to me
shows the SDL is working too.
backs the assertion that we’re making progress; according to the report
Microsoft’s share of total vulnerabilities decreased from 3.7% in 2007
(1st place) to 2.5% (that’s 2.5% for all
Microsoft products; a more appropriate comparison might be Windows vs
Linux vs Mac OSX, or SQL Server vs Oracle vs DB2) in the first 6 months
of 2008 (3rd place.) This is an encouraging signal that the SDL is
working on a large scale… of course, it might also show that
vulnerability researchers are moving to easier targets, which, to me
shows the SDL is working too.
I think it only fair that we also congratulate Microsoft's SDL for causing the decrease in Oracle's vuln share from 2.8% to 1.4% and Cisco's share from 1.8% to 1.4%. I am not sure why Microsoft's SDL is causing Apple's share to remain the same at 3.2% or IBM's share to increase from 2.1% to 2.3% – perhaps a secret backdoor in the process?
[All stats as reported by IBM/ISS X-force in two separate reports found here and here.]