Hi, Michael here,
The following article, ”Major software makers fail security transparency test” caught my eye this morning, because it covers a topic of great interest to me
;: companies documenting their security and privacy-related software development practices for the world to critique and perhaps more important, use.
As the article noted, Microsoft’s process has been public for nearly half a decade.
About two years ago I created a short presentation (attached) that asks many of the questions implied by the SD Times article. We support the proposition that vendors should be evaluated by criteria that are closer to the real security properties people want in their systems. Ask your vendors: are you investing in security or certificates?
The industry clearly has a long way to go, both in terms of improving security, and explaining how they achieve or plan to achieve their security objectives.