Alex asked a good queston on my previous post: what are the dev teams doing between now and Beta 2 ship? I wasn't really clear on that. After you hit ZBB, you're not done. ZBB is a moment in time, and you'll still get bugs after that. Remember that Developer Division is made up of lots of different teams, all of whom have to get finished at about the same time since we all ship together. So as we approach the end of a milestone, be it Beta 2 or the final (RTM) ship of the product, there is more and more coordination across the division to make this happen. Every day there is a "Whidbey War" meeting where representatives from each team give status and make sure everybody is on the same page. Usually how it works is that there is a few weeks after ZBB for teams to absorb the "Bounce" part of ZBB (additional new bugs or reactivations of bugs that were marked fixed but it didn't stick for whatever reason -- on our team this is usually about 7% of our fixes). After that we enter something called "Tell Mode", where teams have to report all the bugs that they are fixing to War. This is a warm up exercise so people can get a feel for the types of issues that are appropriate to be fixing, and others will ask why you're fixing some bugs and not others or what bar you're applying. After Tell Mode comes "Ask Mode" where teams bring the bugs they want to fix and have to get the OK, and answer why we can't ship without fixing this or that bug. The whole point is to crank up the pain so you crank down the churn on the product, concentrate on stability and getting it out the door.
Now, back to Alex's question. Beta 2 is a little different. First, it's straddling the holidays during which nothing really happens. Second, Beta 2 needs to be very close to RTM quality as some customers will be doing deployments on it. So right now the dev team is spending about a month focused specifically on security. We do think about security every day, but you really do need to focus on it to have any hope of getting it right. Security Reviews are one of those things that can make your brain really hurt, kind of like thinking of complex threading issues. There's a lot of "well if A, B, C, and D happened, could someone do X or Y?" We have some tools that help us find certain categories of security issues, and after we fix all those, the team is doing three things. First they're going through each file (over 2,000 of them) looking at the code line by line. Then they'll do it again by feature, thinking about each feature and how it works in semi-trust, how it could be used to do bad things and how to prevent that. Then they'll do it again by threat. They'll look at the product as a whole and try to apply different types of threats (luring attacks, elevation of priveledge etc.) across features and see what pops out there. It's really pretty hard work but it's obviously something that we absolutely have to do and do right. That'll take us into the New Year. After that we're going to fix the bugs that built up while we were doing the Security Push, and that'll be during Tell Mode. Then we'll go into Ask Mode, which is longer than usual this time so that all the pieces of the product can "bake" for longer and we can really stress the product and fix those types of issues. Right now there are 8 weeks in there for stress. Stress work tends to be very sensitive to churn which is why we do some of it last, along with the CLR and ASP.NET teams. As we get into Ask Mode and the bar goes up, some part of the team will start working on fixing bugs in the RTM tree to get a head start there.
RTM will be rinse-and-repeat. We'll drive the bugs to zero again, and repeat the process. We've been hard core about fixing the right bugs for Beta 2 and all the hard bugs so with any luck, the RTM push should be a much easier turn of the crank.