There’s an interesting article over at C|Net about security in general, and Microsoft and the SDL in particular. One thing the author points out as important is BillG’s Trustworthy Computing memo.
IMHO, here’s why such an email is so important. If you don’t get the senior management team to buy off on this security engineering stuff, you will make no real progress. Sure, you might win a few battles along the way and squish a few bugs, but you can’t make wholesale changes and real progress unless the senior execs know there is a difficult problem to solve, and are then willing to spend time and resources on the problem.
Some of our competitors have poo-hoo’d Bill’s TwC memo as a marketing ploy. It isn’t. It’s a battle cry and a call to action.