« Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild | Main | Identifying browsed pages behind SSL via packet size monitoring »

Why Microsoft's SDL Missed MS08-067 in their own words

"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL).

Before I get into some of the details, it's important to understand that the SDL is designed as a multi-pronged security process to help systemically reduce security vulnerabilities. In theory, if one facet of the SDL process fails to prevent or catch a bug, then some other facet should prevent or catch the bug. The SDL also mandates the use of security defenses, because we know full well that the SDL process will never catch all security bugs. As we have said many times, the goal of the SDL is to "Reduce vulnerabilities, and reduce the severity of what's missed."

In this post, I want to focus on the SDL-required code analysis, code review, fuzzing and compiler and operating system defenses and how they fared." - Michael

Interesting read for sure and provides good insight into the SDL mindset at ms.

Read more: http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!