Microsoft SDL report card

[Gary McGraw <gem () cigital com>]

hi sc-l,

Yesterday, Microsoft released an SDL report card of sorts called "The SDL Progress Report."  It covers the history of 
the SDL from 2004-2010.  You should read it.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9-487a-a2e2-8da73fb9eade

For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19).  Though I guess 
that is the "news" hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to 
teach about how a software security initiative evolves.  (WRT the two anti-exploit tactics, see an article I 
co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security 
Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April 30, 2010).)

Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer.  The best part of what they're doing is 
being very open about the progress they are making and the approach that seems to be working for them.  I, for one, 
would love to see other reports like this issued by software vendors.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________