GREAT post by Michael Howard over on the SDL blog about the hyperbole that usually crops up on <cough>/.</cough> whenever Jeff Jones posts his vulnerability analysis report.image

  • "This is FUD"
  • "Yeah, but it's not an apples to apples comparison"
  • "How can you believe this guy? He works for Microsoft!"
  • "What would Microsoft know about security?"
  • "For his next trick..."
  • "That chart really hits home the fact that statistics can be used to prove any side of any argument"
  • "Of course he says Windows is the best, that's what he's paid to do."
  • "Counting vulnerabilities is a natural way to measure security. If you're a retard."
  • "The other big reason linux is more secure is many black hats LOVE open source principles"
  • "Can someone please slap MSoft in the teeth"
  • "I can't actually remember a time when my mac needed a patch to fix a security hole."

A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won't name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, "What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft' in the reply." Two weeks later, the guy phoned me and said...

You'll need to read the rest of the post to find out what he said, but I guarantee the post is worth a read: http://blogs.msdn.com/sdl/archive/2008/02/21/the-first-step-on-the-road-to-more-secure-software-is-admitting-you-have-a-problem.aspx