Microsoft’s failure to detect the animated cursor bug in Vista has encouraged critics to speculate that its highly-acclaimed secure development process might not be working as advertised. They have a point. One would certainly expect its code review process to have spotted and eliminated this particular vulnerability. It’s remarkably similar to an earlier flaw in the same section of code.
But this is not so much a failure of Microsoft’s new development process as a reflection of the fact that you can’t eradicate years of insecure practice through a single business transformation. It takes a long time to achieve the highest levels of process maturity. And software development is a complex process full of uncertainties and pitfalls, and managed by humans who are bound by ambitious targets. Perfect, secure software is a pipedream. What really counts is an organization’s capability to recognize, correct and learn from its mistakes. And that is how we should really judge the quality of Microsoft’s software development process.