Nov 18, 2008

The effects of the SDL

Gabe just brought back from Barcelona a deck of cards provided by Microsoft to advertise some statistics about the SDL. An interesting fact is that there have been only 3(!!!) vulnerabilities reported in SQL Server 2005 since its initial release in 2005. More on what these vulnerabilities are can be found here.

I'm impressed.


Anonymous said...

"reported" is the magic word. While the SDL is solid (at the very least is a formalized process designed to boost security, forcing them managers to take security seriously for a change), the number of reported vulnerabilities, especially critical ones, is lower than the actual, discovered vulnerabilities.

Having said that, SDL is a good thing :-)

Unknown said...

I agree with your statement that the number of reported vulnerabilities is lower than the number of actual discovered vulnerabilities. However, I think there are two reasons why the fact of the 3 reported vulnerabilities is still impressive:
1. If a vulnerability is not reported (i.e. disclosed by a 3rd party), it could mean that the SQL team has done a good job during the Verification Phase of the SDL.
2. If someone on the dark side has found an exploitable vulnerability and has not reported it yet, why haven't we seen a new massive worm spreading around (much like Slammer in 2003)?

Anonymous said...

Hi and thanks for the quick reply.

My comment aimed to convey this message: While the SDL works, I would take statistics with a grain of salt.

The lack of reported vulnerabilities (submitted to vendor, disclosed in mailing lists, captured in the wild/honeypots, you name it) does not guarantee the non-existance of vulnerabilities.

So, yeah, SDL drops the implementation bug/ design flaw count dramatically and gives some useful guidelines to developers (and MS-wise, there were some great results demonstrated) but unfortunately, it is not a cure all :(

Unknown said...

agreed. :)

Anonymous said...

for a change :-)