Close on the heels of David Ross' XSS defense in IE8 beta 2, my boss, Steve Lipner just posted an article looking at XSS filter from an SDL perspective.

While I'm on the subject of XSS and Dave, if XSS is an area of interest to you, you really should follow his blog. He's a member of our group focused mainly on browser and desktop-related defenses.