> I know the saying many eyes make bugs shallow, but so does billions of dollars and years of concentrated effort.

The saying holds. Billions of dollars buys many eyes.

No, the saying does not hold. Microsoft didn't buy "many eyes"; they bought a relatively small number of very specialized eyes. At any one time in the mid 2000's, something like 4-5 security firms did $1MM or more in a year at Microsoft, and those firms each had between 15-40 people working at them --- and no firm did 100% of its business at MSFT.

What happened at Microsoft may not disprove this folk wisdom about defect detection, but it's evidence against it, not for it.

That's not really how secure coding works at Microsoft though. There aren't more eyes on the code, just more developer training and more processes in place. (At least that was my experience working there from 2006 to 2009.)

There are more eyes on the code too, though: virtually everything Microsoft ships gets a 3rd party review.

We also have mandatory security training for all developers. Turning every developer into a security reviewer helps a lot.

It's nothing compared to the knowledge I got by working in app sec or teaching network security, but it's pretty good for increasing the base of knowledge among general developers.

... that still isn't "many eyes" on any particular piece of code, in the sense of the saying, though.

Just because Eric S. Raymond says that's how security bugs should be found doesn't mean that's how security bugs are actually found.

And that is an interesting point; and it is specifically the point the G*P was making, which was obscured by saying, "Oh, but there are still multiple eyes here."