hi sc-l, Yesterday, Microsoft released an SDL report card of sorts called "The SDL Progress Report." It covers the history of the SDL from 2004-2010. You should read it.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9-487a-a2e2-8da73fb9eade For some reason the tech press is mostly discussing DEP and ASLR adoption (covered on pages 18 and 19). Though I guess that is the "news" hook the PR flacks are hyping, I think there are many other parts of the report that have plenty to teach about how a software security initiative evolves. (WRT the two anti-exploit tactics, see an article I co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April 30, 2010).) Microsoft has made huge strides since the days of CodeRed, NIMDA and Slammer. The best part of what they're doing is being very open about the progress they are making and the approach that seems to be working for them. I, for one, would love to see other reports like this issued by software vendors. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
