Microsoft’s security development lifecycle is paying off, but others should watch out

“Normally, a slip in the charts is a bad thing, but this time around it’s a positive move, as it suggests that Microsoft’s investment in an SDL [security development lifecycle] is paying off,” says Brian Chess, Fortify’s chief scientist. “We’re glad that Microsoft accepts the Business Software Assurance religion, which recognises security is not simply a product: it must be complemented with processes and expertise,” he says. However, he has a warning: “As Microsoft becomes a harder target, the pressure is transferred to smaller players: there are just as many, if not more, attackers out there as there were in 2007, but now they’re spending their time looking at a greater diversity of software. Software security is everybody’s problem. Microsoft can’t rescue us.”