That young whippersnapper Dave Maynor (whose receding hairline is a symptom of performance-degrading drugs and not age) tries to equate my points about SDL with my views on bugfinding. (He must be hurting for work folks, help the poor child out so he doesn’t need his allowance anymore, I say!)
I guess I need to clarify my point and then try to address his. First, my point was simply about the relationship between SDL success and the metric used to measure it. At one level, Dave is right that Microsoft can pick whatever metric they want to determine success. But that is more true for internal metrics than it is for public ones that are intended as marketing propaganda used to take swipes against its competitors.
So, the metric "publicly-found and disclosed vulnerabilities" is almost by definition incomplete, since there are presumably many more bugs found in private during the development cycle that would apply to the SDL. And when you have access to more data to make it complete you should use that data to measure success. That is my point. Simple.
(Let me take a quick step back to say that my belief is that the most prominent feature of SDL has always been to get the developers to write better code and less about designing better software or enticing enemies with $$$ so they will stay under NDA while finding vulnerabilities. Even if that isn’t the case, my comments hold but even more so if this is true.)
What I am trying to figure out is why the little guy thinks this has something to do with bugfinding. Which it doesn’t. Anyone care to enlighten me?
[It was very timely for Dave to point out that every day I get a day older, since I was looking at Twitter yesterday and feeling old because it seems like so much noise to me...]
I’m with you Pete. Perhaps in this case Dave just can’t read?
Its quite simple really.
Software Security = number of vulns
Number of vulns found and publicly disclosed != software security
Seems like pretty simple logic.
dude, get on twitter and quit the moaning
_r
PS: maynor is spectacularly wrong.
I think your missing one of the vital parts of SDL. Which is the focus on internal security testing and a focus on secure design (not just implementation). The fact that these catch security bugs or catch insecure features before they are released to customers reduce the number of total vulnerabilities in the release version which reduces the number of publicly disclosed vulnerabilities.
I think this is as good a metric as you can come up with to measure the success of the SDL.
Wow. You are an idiot. Why would you compare a not released version of Oracle with a Non-Released version of SQL. Umm. You wouldn’t. Whether your talking about Vulnerabilities bugs. You vet the code for all of these. You find these things before it’s release.
Oh, I get it. You’re an Open-Source fan and basically all Open-Source is ‘work-in-progress’ so …
And Andy… “in private during the development cycle” = you’ll never see it. Duh.
I wrote a piece about this because I think there is some confusion about who the metrics are for. Audience matters.
http://securityretentive.blogspot.com/2008/04/metrics-and-audience.html