Great post by Michael Howard today:
A few years ago I spoke to some senior technical people from a large financial organization about software security. After visiting Microsoft they were off to visit another operating system vendor. I won’t name names. The financial company was very interested in our early results, and they were encouraged by what they saw because of the SDL. I asked the most senior guy in the room to ask the other company one very simple question, “What are they doing to improve the security of their product? And by that I mean, what are they doing to reduce the chance security vulnerabilities will creep into the product in the first place? And they cannot use the word ‘Microsoft’ in the reply.” Two weeks later, the guy phoned me and said…
I won’t tell you what they said; for that, you’ll need to read Michael’s article. I promise that it’s worth your time.
Paul's Down-Home Page 