In the security industry, we’re focused on the impact of offensive advancements and how to best adapt defensive strategies without much reflection on how our industry has evolved. I wanted to take a moment to reflect on the history of our industry in the context of one individual’s contribution.
After many years in the software engineering and security business, Steve Lipner, partner director of program management, will retire from Microsoft this month. Steve’s contributions to the security industry are many and far reaching. Many of the concepts he helped develop form the basis for today’s approach to building more secure systems.
In the early 2000’s Steve suffered through CodeRed and Nimda, two worms that affected Microsoft Internet Information Server 4.0 and 5.0. In January 2002 when Bill Gates issued his “Trustworthy Computing memo” shifting the company’s focus from adding features to pursuing secure software, Steve and his team went to work training thousands of developers and started a radical series of “security pushes” that enabled Microsoft to change the corporate culture to emphasize product security.
Steve likes to joke that he started running the Microsoft Security Response Center (MSRC) when he was 32; the punchline being that the retirement-aged person he is today is strictly due to the ravages of the job. Microsoft security was once called one of the hardest jobs out there and Steve’s work is truly an inspiration.
The Security Development Lifecycle (SDL) is the process that emerged during these security improvements. Steve’s team has been responsible for the application of the SDL process across Microsoft, while also making it possible for hundreds of security organizations to adopt, or like Adobe, using it as a model for their respective secure product engineering frameworks
Along with Michael Howard, Lipner co-authored of the book The Security Development Lifecycle and he is named as inventor on 12 U.S. patents and two pending applications in the field of computer and network security. He served two terms on the United States Information Security and Privacy Advisory Board and its predecessor. I’ve had the pleasure of working with Steve on the board for SAFECode – The Software Assurance Forum for Excellence in Code – a non-profit dedicated to the advancement of effective software assurance methods.
I’d like to thank Steve for all of the important contributions he has made to the security industry.
Vice President & CSO