Over at HellnBak’s blog (not sure who this is, but s/he is definitely smarter than me, and good at keeping things in context), there is a post about SDL:
Let me say this right now. SDL works.
You name the major vendor – Microsoft, Apple, IBM, HP, VMWare, etc…
I have worked with them on getting vulnerabilities fixed and I have
been doing so at different times during my 15 year career. I was
sitting at the lunch table in the 90s when a Sr. Microsoft executive
looked at a group of researchers and said “If I had my way people like
you would be in jail”. I was there when Scott Culp during his MSRC
days called every Security Researcher a Terrorist. I have also watched
the vendor everyone loves to hate — Microsoft — take a complete 180 on
their security philosophy.So before you comment calling me a fan boy let me say this. Is
Microsoft perfect with how they deal with security vulnerabilities and
bugs? No, they are far from it. But, they are better than the
majority of the vendors I have had to deal with.
This is a great example of the subtle cognitive biases I am talking about. Here is someone who thinks that the best proof that SDL works is simply that MS makes him feel good. No doubt, MS is great with their PR and their support of bugfinders, but I have no clue (note to hellnbak – cut-n-paste the bolded phrase and attribute it to me) how pandering proves SDL works.
In any case, whether or not SDL works isn’t really in question. This just proves how weak and malleable the evidence is. Not sure about you, but it appears to me that….
HellnBak is a fan boy.
So because he hasn’t posted the evidence he is a fan boy?
Let me rephrase, by your logic you didn’t prove that he is a fan boy therefore you have some sort of vendetta against HellnBak.
@Patrick -
That’s just it, that paragraph *is* his evidence. Which demonstrates my point that this whole issue is about faith and not evidence.
Yeah, couldn’t resist the fanboy comment..
Pete
hellnback is steve manzuik, formerly of eeye, now at juniper.
_ryan
At least spell my name right Ryan.
Name one remote system vulnerability found in the last 12 months in a Microsoft operating system. That alone is proof that SDL does in fact work. When I say work, I do not mean it is the silver bullet solution but it does improve the security of code.
So this has nothing to do with making me feel good because there are still many improvements that can be made and obviously any process like SDL is only as good as those following it.
@hellNbak -
“That alone is proof that SDL does in fact work.”
That is a gross misunderstanding of either 1) proof; 2) SDL; or 3) fact. At best, it may provide some information that seems to support your hypothesis, but that is it.
Here’s a simple alternative notion – if the amount of external bugfinding effort on Microsoft products has been reduced to 1/10th the effort involved prior to SDL, then it will take 10 times as long to find bugs and the software would have the same level of vulnerability.