Day two of the SDL training session for OEMs went well.  James Whittaker led the discussion for the first half of the morning, discussing security testing.  His main point was that testing for security requires a diffferent mind set - you still have to rely on conventional testing techniques, but you also have to take it to the next level - expect the unexpected and don't be bound by conventional wisdom.  He demonstrated a number of interesting techniques and tools to uncover security flaws.  The OEM attendees were engaged, asking questions, challenging a number of points, and providing feedback to us on how testing is done in their organizations. Second half of the day we switched focus to Bill Shihara - he spoke on two subjects; the role of the security advisor (security experts from our team that act in a mentor/liaison role with the product teams) and a discussion of the tools that are publicly available and used as part of the SDL.
 
We had a nice surprise at the end of the day - Jim Allchin took time out from his schedule came over to chat with the attendees and to thank them for their participation. This was a non-trivial effort considering we RTM'd Vista yesterday.  Jim was very direct; there has been a lot of thought and effort focused on the security for Vista, but its crucial for Microsoft and the industry leaders in the room to work together to secure the ecosystem.  He asked that the partners demand better security and reliability from themselves and from their ISV and hardware component suppliers.   Another good day...  The last sessions will be covering security response (Mike Reavey) a discussion of our recently published privacy guidelines for developers (Tina Knutson and Sue Glueck) and a final wrap up discussion.