"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center
today, and like all security vulnerabilities, this is a vulnerability
we can learn from and, if necessary, can use to shape future versions
of the Security Development Lifecycle (SDL).
Before I get into some of the details, it’s important to understand
that the SDL is designed as a multi-pronged security process to help
systemically reduce security vulnerabilities. In theory, if one facet
of the SDL process fails to prevent or catch a bug, then some other
facet should prevent or catch the bug. The SDL also mandates the use of
security defenses, because we know full well that the SDL process will
never catch all security bugs. As we have said many times, the goal of
the SDL is to "Reduce vulnerabilities, and reduce the severity of
what’s missed."
In this post, I want to focus on the SDL-required code analysis,
code review, fuzzing and compiler and operating system defenses and how
they fared." – Michael
Interesting read for sure and provides good insight into the SDL mindset at ms.
Read more: http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
