A new article called Microsoft Under Attack summarizes itself by saying:
Not by angry customers suing for damages after security breaches, or by governments breaking up monopolies, but by open source developers and security professionals accusing them of being obsessed by security.
The content goes on to chronicle a panel discussion moderated by the author “Should companies be emulating Microsoft’s Security Development Lifecycle?” at the OWASP Europe conference in Leuven.
Reading through the comments, one reader asks “Can you give an example of where a MS product has superceded a comparable open-source project in terms of security?”
I suppose that depends on your definition of security, but I took it to mean “software having less serious vulnerabilities for hackers to potentially exploit” and posted my own reply. The short answer is that there are more and more examples the longer that Microsoft applies SDL and other security programs while comparable open source projects claim that they don’t need to pursue similar security goals (due to “many eyes” or whatever reasons).
I think my previous posting on the Red Hat Workload Vulnerability Index is one good example of a (not-defined-by-Microsoft) metric comparing the results of differing development processes.