Microsoft spends huge on QA. Unusually so. Google "Microsoft QA ratio" for starters. That has nothing to do with security. QA doesn't find security bugs, because security bugs are different from normal bugs: they're only possible under subtle adversarial conditions.
It's not about how much you spend. It's the result you achieve.
It seems the architecture of Windows and its backward compatibility are a growing burden on Microsoft's shoulders.
The sad truth in software business is that you don't have to make your product robust enough to last forever, just long enough for you to pocket your bonus and retire.
I also have a problem with the idea that security bugs are not ordinary bugs. Bugs are parts of the program that don't do what should be done, be it about crashing, corrupting data or handing over the keys to your kingdom, they are still bugs and should be detected and corrected.
"I have a problem with the idea that security bugs aren't ordinary bugs, [...] becase they are still bugs and should be detected and corrected".
You just said absolutely nothing about security flaws OR QA. You want to try again? Because I think all you've got here is, "bugs should get fixed". Yeah, you got me there.
"Microsoft spends huge on QA" and "QA doesn't find security bugs" are things you said.
If their QA can't find security bugs, then, perhaps, they should rethink what software quality means to them. Remember: even if bugs costs them millions of dollars, they cost even more to their customers.
Ricardo, can you point me to the security flaws you've discovered and documented? I looked you up on LinkedIn, and you have a long resume in software development --- but no apparent experience whatsoever in software security.
Your claims about QA and security are so wildly outside my own experience and the general understanding of my field that I'm wondering where you get the confidence to make them so forcefully. I've never met a QA team anywhere that could reasonably be left responsible for testing software security.
I don't work with software security and have discovered absolutely no new security flaws. I have, however, experienced many and created some in the long career you refer to.
Still, none of the security problems I wrote into my code could be blamed on highly adversarial conditions - all of them were plain bugs, places I forgot to do something or when I trusted something one should never trust.
The fact you never met a QA team that could uncover security problems possibly stem from them not looking into the code itself and never having the responsibility of finding such problems. Validating compliance, correctness of observed behavior and even user overall experience is also called quality assurance, but it is, by no means, defining of the whole software quality concept.
As long as we're clear that by "them", I mean "a broad cross section of the whole industry, from embedded infrastructure code to 'web 2.0'", and you mean "the fictitious QA team that works the way I say QA teams do", then I think we agree.
Because I'm telling you that you're wrong about the relationship between QA and security in the real world.
