Show 001 – An Interview with Steve Lipner
Steve Lipner is the senior director of security engineering strategy in Microsoft’s trustworthy computing group. Steve runs the Security Development Lifecycle team focused on product security and privacy. Steve has been active in computer security for thirty-five years. He holds a B.S. and an M.S. from MIT. His book The Security Development Lifecycle co-authored with Mike Howard is required reading in the field.
January 19th, 2009 at 10:48 pm
Hi Gary,
Great stuff, especially when you inject your own experience and compare notes with the guest; I’ve listened to it 3 times already. Yes, you started at the top!
From listening to pretty much all of your podcasts, I see some questions that you are consistently asking like “what are the top 2 software security practices that you recommend?” and “what difference do you see between web app security and general software security?” (I’m broadly paraphrasing this one because I think that it’s the point you are getting at)… I would like to see a couple of more like: “is security testing being done by a separate security group, by QA testers, or how? And, if not by a separate security group, how are they trained and chosen?” and some details about their SDL and how it applies to their types of applications (something along the lines of the Silverbullet Cigital roundtable discussing different SDLs; and Mary Ann Davidson of Oracle completely evaded your question to her on this topic in her Silverbullet podcast).
Cheers,
Stephen
January 20th, 2009 at 9:42 am
Hi Stephen,
Thanks for the suggestion. I love the idea of a roundtable on the SDL and will try to make that happen.
Security testing has come up a few times in various silver bullet episodes. I agree that it deserves more airplay.
gem