tag:blogger.com,1999:blog-1426281128647295476.post8676130365949880968..comments2008-11-30T09:37:32.154-05:00radi vhttps://profiles.google.com/118284900687766448702noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-1426281128647295476.post-67972245526477021822008-11-30T09:37:00.000-05:002008-11-30T09:37:00.000-05:00for a change :-)Puff, the magic dragonhttp://lixtetrax.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-1426281128647295476.post-2871749658779823532008-11-30T06:25:00.000-05:002008-11-30T06:25:00.000-05:00agreed. :)radihttp://www.blogger.com/profile/11459795773754260693noreply@blogger.comtag:blogger.com,1999:blog-1426281128647295476.post-48038754023923868132008-11-30T05:31:00.000-05:002008-11-30T05:31:00.000-05:00Hi and thanks for the quick reply.<BR/><BR/>My comment aimed to convey this message: While the SDL works, I would take statistics with a grain of salt.<BR/><BR/>The lack of reported vulnerabilities (submitted to vendor, disclosed in mailing lists, captured in the wild/honeypots, you name it) does not guarantee the non-existance of vulnerabilities. <BR/><BR/>So, yeah, SDL drops the implementation bug/ design flaw count dramatically and gives some useful guidelines to developers (and MS-wise, there were some great results demonstrated) but unfortunately, it is not a cure all :(Puff, the magic dragonnoreply@blogger.comtag:blogger.com,1999:blog-1426281128647295476.post-33699342148934293872008-11-30T03:50:00.000-05:002008-11-30T03:50:00.000-05:00I agree with your statement that the number of reported vulnerabilities is lower than the number of actual discovered vulnerabilities. However, I think there are two reasons why the fact of the 3 reported vulnerabilities is still impressive:<BR/>1. If a vulnerability is not reported (i.e. disclosed by a 3rd party), it could mean that the SQL team has done a good job during the Verification Phase of the SDL.<BR/>2. If someone on the dark side has found an exploitable vulnerability and has not reported it yet, why haven't we seen a new massive worm spreading around (much like Slammer in 2003)?radihttp://www.blogger.com/profile/11459795773754260693noreply@blogger.comtag:blogger.com,1999:blog-1426281128647295476.post-37959053197221293852008-11-29T18:23:00.000-05:002008-11-29T18:23:00.000-05:00"reported" is the magic word. While the SDL is solid (at the very least is a formalized process designed to boost security, forcing them managers to take security seriously for a change), the number of reported vulnerabilities, especially critical ones, is lower than the actual, discovered vulnerabilities.<BR/><BR/>Having said that, SDL is a good thing :-)Puff, the magic dragonnoreply@blogger.com