Why is this security defect such a big deal, you may be asking. We see defects reported in XP on a nearly daily or at least weekly basis, after all. Ill tell you. My fear is that the SDL itself could be sacrificed if its believed to have failed, which would be a tremendous setback for all (secure) software development.
Mac vs. Linux: Which is More Secure?
Is the Mac Really More Secure than Windows?
IT In 2007: Budget and Trends
The Emerging Dell-Linux-Apple War|
You see, its not that the SDL is necessarily the best way of developing secure software. How many other software developers have to deal with the sorts of issues as Microsoft does? Seriously, how many people can claim that their general-purpose software will be used by hundreds of millions of people for everything from emailing the latest jokes to running mission-critical software at the largest enterprises? Not so simple to make security decisions that appease such a vast spectrum of users, is it?
Without a doubt many software development organizations even large ones will find Microsofts SDL as not quite meeting their needs. Heck, its not even the only game in town. There are several other lighter-weight security development processes readily available. The Open Web Application Security Project (OWASP) has its CLASP process, for example. Cigital has its touchpoint model. (Both of these can be freely downloaded, via here and here, respectively.) The list goes on.
But none of that is important. The fact is that the SDL is what Microsoft uses, and its future, along with the future of software security trends at Microsoft, is very much on the hook right now. Because of the sheer vastness of their market share, we all stand to lose out of the SDL fails. It is said that a rising tide raises all the ships in a harbor; well, then it stands to reason that a retreating tide lowers all the ships in a harbor just as equally.
For that reason, count me in as a supporter of the SDL. Long live the SDL.