Comment : "Microsoft's Security Development Lifecycle Methodology is Working"

Application vulnerability specialist, Fortify Software, says that after being in pole position in the reported security incident charts for the whole of 2007, Microsoft has dropped to third slot in IBM's X-Force mid-year security analysis.

"Normally a slip in the charts is a bad thing, but this time around it's a positive move, as it suggests that Microsoft's investment in an SDL - Security Development Lifecycle - is paying off," said Brian Chess, Fortify's chief scientist.

According to Chess, Microsoft's move down the reported security incident charts is almost certainly due to the actions of Bill Gates, who emailed all the developers years ago to help kick off Microsoft’s Secure Computing initiative.

In his email, said Chess, Microsoft's former CEO clearly pointed out that all the great features of Microsoft's code won't matter unless customers trust the company's software.

"Gates told his dev team, ‘when we face a choice between adding features and resolving security issues, we need to choose security.’ And that's pretty impressive stuff, even for Bill Gates," he said.

"It's against this backdrop that we're glad that Microsoft accepts the Business Software Assurance religion which recognizes security is not simply a product, it must be complemented with processes and expertise," he added.

But Microsoft’s advances has a serious implication for the rest of the market. Chess warns: “As Microsoft becomes a harder target, the pressure is transferred to smaller players. There are just as many, if not more, attackers out there as there were in 2007, but now they’re spending their time looking at a greater diversity of software. Software security is everybody’s problem. Microsoft can’t rescue us. That’s why they’ve moved from making their products secure to teaching people about how to create secure software.”