"Counting vulnerabilities is a natural way to measure security. If you’re a retard."

Got your attention didn't I? 🙂  So Mike Howard, one of the founding fathers of the SDL, is an amazing guy.  In my group we joke around with him and tease him quite a lot (he is a Kiwi after all) but at the end of the day there are few people in Microsoft that I respect more and to this day I still can't believe I get to work in the same org with him.  To say it's an honor and a privilege would be an understatement.  I would be hard pressed to name another person in Microsoft who has had more impact on the overall security of our products.  When he speaks - I listen.  So with that I give you Mike's latest Technet article: http://www.microsoft.com/technet/community/columns/secmgmt/sm0408.mspx

I really liked this article because it was short and sweet and Mike does a really great job of capturing the the cultural shift that occurred and how we use metrics to track our progress and how our competition is still, in the year 2008, largely in denial about their own situation. One of the most frustrating things for me is when ignorant non-believers <G> claim that the SDL is all just marketing hype / spin / FUD etc. (as so eloquently captured at the beginning of his article <G> and as the title of this post).  It's insulting to me.  To put how I feel about folks who don't believe that the SDL is causing measurable improvements to our product's security in context, consider all of the people who believe that the moon landing never happened and was a big sham put on by our government.  Now imagine that you're an engineer who has worked at NASA for decades who was involved in that monumentous achievement.  Imagine how that person must feel every time they come across someone at a party or some social setting who simply doesn't believe that we could have achieved such a milestone in the 60's.  I believe I know how they must feel . . . bemused . . . offended . . . disgusted even . . . I come across people every day (through my blog, email, web sites) who simply don't believe that the SDL is a real achievement and who think it's all just a sham perpetrated by the world's largest software company to get people to buy more product.  By now I've largely given up trying to convince people that the SDL is real and that it really works.  In the year 2008 if you don't believe that we've made progress since 2002 and that the SDL and the cultural shift within Microsoft is responsible - then I internally lump you into the same bucket as the folks who to this day don't believe in the moon landing as there is probably no amount of evidence that will ever convince you that it's real.

Comments (0)

Skip to main content