So, the final day of the SDL sessions for our OEM partners is complete...
My biggest observation was these guys were utterly engaged, and by that I mean writing copious notes and asking some very pointed and deep questions. The companies could have sent junior people to this event simply to pay lip service to security, but they did not; they sent senior security people who know what they are talking about. But they also know that any help we can give them can only be beneficial to the OEM, Microsoft and most importantly, our customers.
The day started with Mike Reavey doing his an excellent job of outlining the importance of a clear, concise and predictable security response process - it's good for our customers and it's good for Microsoft! He also drove home the point that the Microsoft Security Response Center (MSRC) is an integral part of the SDL and (not surprisingly) a necessary part of a *complete* security process.
The discussion of the Privacy Guidelines for Developers was the source of a number of interesting questions - it's clear that the attendees had invested a good deal of thought on the subject. By having both Tina Knutson and Sue Glueck co-present on the subject, it allowed for a much richer discussion. Tina has a ton of operational privacy experience (and a ton on experience on Windows Vista priavacy) and Sue's ongoing role as legal counsel was a cool and useful mix of perspectives.
We ended by having an open session on the role of procurement in ensuring security. The attendees made a lot of comments in support of driving security processes down the entire supply chain - on the other hand they were quite clear that they can't simply tell suppliers to "clean up their act" without some prescriptive guidance. Looks like we have some work to do!
This training session was a trial balloon; we have yet to look at the detailed feedback from the crowd, but verbal feedback from the attendees and "gut feel" responses from the rest of presenters, tells me that this was a great success.
Who knows, maybe our ISV partners are next...