POPULARITY
2 episodes with steve lipner
3 episodes with steve lipner
In episode 107 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Steve Lipner, Executive Director of SAFECode. Together, they discuss how software development organizations can use principles of "secure by design" to get on a track of continuous improvement.Here are some highlights from our episode:01:38. Steve's background and thoughts on the emergence of secure by design14:04. Three guiding principles of secure software development16:13. The impact of security awareness from a developer's perspective22:22. How threat modeling helps to address security as a system problem25:37. The effect of modern software development methodologies like Agile and DevSecOps30:29. What CISA's activity around secure by design means for the industryResourcesSAFECodeSecure Software Development Framework (SSDF)Embedded IoT Security: Helping Vendors in the Design ProcessEpisode 95: AI Augmentation and Its Impact on Cyber DefenseIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.
During the last several years, there has been growing concern that the development of quantum computers could undermine the public-key cryptography that is a fundamental pillar of security on the Internet. Recently, the U.S. Government's National Institute of Standards and Technology has released draft standards for post-quantum encryption algorithms that can replace the existing, and potentially vulnerable public-key encryption. But while the future of encryption will depend on new algorithms,there are many other factors that will influence security in the decades to come. In 2022, the National Academies of Sciences, Engineering, and Medicine released a report on "The Future of Encryption" that examines factors including technical aspects of cryptography, societal and policy considerations, and product engineering. The report presents a series of findings that apply broadly, and paints three alternative future scenarios for the future of encryption. This presentation, based largely on the Academies report, will provide researchers, engineers, and policy professionals with context in which to view future developments and concepts for prioritizing future actions. About the speaker: Steve Lipner is the executive director of SAFECode, an industry nonprofit focused on software security assurance. He was previously partner director of software security at Microsoft where he was the creator and long-time leader of the Security Development Lifecycle (SDL) and was responsible for software integrity policies and government security evaluations. Steve also serves as the chair of the U.S.Government's Information Security and Privacy Advisory Board. He has more than a half century of experience in cybersecurity as researcher, engineer, and development manager and is named as coinventor on twelve U.S. patents. He is a member of the National Academy of Engineering and chaired the Academies' Committee on the Future of Encryption. Steve's CV is available at www.stevelipner.org.
In this episode, we speak with Steve Lipner, Executive Director of Safe Code, and Karen Worstell, VMWare Cyber Strategist. They discuss the new scale of DevSecOps, secure code, and safely adopting new technologies. Karen describes how modern operating environments differ from older ones, and the concerns involved with quickening development cycles. Steve explains the work of his nonprofit, Safe Code, and the importance of integrating security with a development cycle. They also discuss the future of cloud infrastructure and get into the benefits and possible pitfalls of Chat GPT.---------Key Quotes:Karen "What's really really different? The type of code we're writing has changed. The operating environment that we're pushing it into has changed. And the time cycle has really changed. It's a concern, to be honest. It's a benefit, but it's also something that worries people."Karen“The cycle has revved up tremendously and it's changed the way we work. So DevSecOps basically means that you've got this development cycle and then you've got the operations of it on an ongoing basis.”Steve "The role of the security team is to help organize, train, and equip so that the developers have the right processes, the right training. They know what a security bug looks like and why you don't want to have one. And the right equipment, the right tools to tell them when they need to do something differently and what to do about it."Steve "If you want a thousand person security team, then the way to do that is to do all the audits and all the testing, and all the security reviews and all the compliance after the fact. If you want secure software out there this afternoon, the responsibility for building secure software has to be with the developers. The role of the security team is to help organize, train, and equip so that the developers have the right processes, the right training."Karen:“I think the truth of it is that in the technology world, where we're surrounded by new technology, and we're used to that cycle of new technology evolution and adopting it like early adopters, we can get out over the skis when it comes to the rest of the world…Technical debt is our biggest risk, my opinion.”---------Time stamps:(02:45) What DevSecOps means(04:40) Leveraging DevSecOps as a leader(08:20) The development cycle's acceleration (10:05) Safe Code's mission(10:55) Old dev cycles vs. new ones(12:05) Building a secure development model(14:50) Difficulties behind a security push(17:40) Recognizing the importance of security pushes(19:55) Exploring the move to cloud(21:00) How the modern world adopts new technology(24:00) The risks of AI acceleration (30:05) Where to connect with Karen and Steve---------Links:Steve's LinkedIn: https://www.linkedin.com/in/steve-lipner/Steve's website: https://www.stevelipner.org/Steve on Twitter: https://twitter.com/lipner?lang=enKaren's LinkedIn: https://www.linkedin.com/in/karenworstell/CIO Exchange on Twitter: https://twitter.com/vmwcioexchangeYadin Porter de León on Twitter: https://twitter.com/porterdeleon [Subscribe to the Podcast] On Apple Podcast: https://podcasts.apple.com/us/podcast/cio-exchange-podcast/id1498290907 For more podcasts, video and in-depth research go to https://www.vmware.com/cio---------Keywords: cio, cio exchange, VMware, innovation, leadership, IT, information technology, technology, cto, cloud, multi-cloud, security, devops, devsecops, artificial intelligence, machine learning, AI, Chat GPT, development cycles, technology leadership, AI security
Over fifty years, I've led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off. About the speaker: Steve Lipner is the executive director of SAFECode, a nonprofit focused on software assurance. He was the creator of theWindows Security Push and the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). Steve has more than a half century of experience in computer and network security as a researcher, engineer, and development manager, He is chair of the United States Government's Information Security and Privacy Advisory Board, and a member of the National Academy of Engineering and the National Cybersecurity Hall of Fame.
Over fifty years, I’ve led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off.
Hello and welcome to episode 6 of Software Security Gurus, with Matias Madou. In this interview, he chats with Steve Lipner, software security expert, and founder of SAFEcode.org. They discuss his influential book, Security Development Lifecycle, and the changes seen in the fifteen years since its release. With diversity in programming languages a key change, Steve reveals the lessons learned in this period of rapid transformation. For more information, please visit www.softwaresecuritygurus.com. --- Send in a voice message: https://anchor.fm/softwaresecuritygurus/message
For more than 30 years, the cybersecurity community has worked to increase the effectiveness of our cybersecurity and resilience efforts. Today we face an explosion of devices, the pervasiveness of software, the threat of adversarial capability, and the dependence of national capabilities on the cyber domain. These challenges demand that we think about how to achieve the future we need, which is the subject of a new series of podcasts, The Future of Cyber. In this episode, Bobbie Stempfley, director of the CERT Division of the SEI, explores the future of secure coding with Steve Lipner, the executive director of SAFECode and former director of software security at Microsoft, where he created Microsoft’s Security Development Lifecycle.
We've reached the end of season six, and here are a few of our favorite clips. Season seven is around the corner. S06E01 — Marc French — The AppSec CISO What are some tips for someone who wants to become a CISO? Is there such a thing as a CISO school? S06E05 — Steve Lipner [...] The post Marc French, Steve Lipner, Maya Kaczorowski, DJ Schleen, Kim Wuyts — Season Six Wrap up appeared first on Security Journey Podcasts.
Steve Lipner is a pioneer in cybersecurity, approaching 50 years’ experience. He retired in 2015 from Microsoft where he was the creator and long-time leader of Microsoft’s Security Development Lifecycle (SDL) team. While at Microsoft, Steve also created initiatives to encourage industry adoption of secure development practices and the SDL and served as a member [...] The post Steve Lipner — The Past, Present, and Future of SDL appeared first on Security Journey Podcasts.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-036-Adam_Shostack-threat_modeling.mp3 Adam Shostack has been a fixture of threat modeling for nearly 2 decades. He wrote the 'threat modeling' bible that many people consult when they need to do threat modeling properly. We discuss the different threat modeling types (STRIDE, DREAD, Trike, PASTA) and which ones Adam enjoys using. Mr. Boettcher asks how to handle when people believe an OS is better than another, how to do threat modeling to decide which OS should be the one to use. Stay after for a special post-show discussion with Adam about his friend Stephen Toulouse (@stepto). RSS: http://www.brakeingsecurity.com/rss Youtube Channel: http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 #Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast Join our #Slack Channel! Sign up at https://brakesec.signup.team #iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/ #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ SHOW NOTES: Ideas and suggestions here: Start with “What is threat modeling?” What is it, why do people do it, why do organizations do it? What happens when it’s not done effectively, or at all? At what point in the SDLC should threat modeling be employed? Planning? Development? Can threat models be modified when new features/functionality gets added? Otherwise, are these just to ‘check a compliance box’? Data flow diagram (example) - process flow External entities Process Multiple Processes Data Store Data Flow Privilege Boundary Classification of threats- STRIDE - https://en.wikipedia.org/wiki/STRIDE_(security) DREAD - https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model) PASTA - https://www.owasp.org/images/a/aa/AppSecEU2012_PASTA.pdf Trike - http://octotrike.org/ https://en.wikipedia.org/wiki/Johari_window Butler Lampson, Steve Lipner link: https://www.nist.gov/sites/default/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf Escalation Of Privilege card game: https://www.microsoft.com/en-us/download/details.aspx?id=20303 NIST CyberSecurity Framework: https://www.nist.gov/cyberframework Data Classification Toolkit - https://msdn.microsoft.com/en-us/library/hh204743.aspx Microsoft bug bar (security) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307404.aspx Microsoft bug bar (privacy) - https://msdn.microsoft.com/en-us/library/windows/desktop/cc307403.aspx OWASP threat Modeling page: https://www.owasp.org/index.php/Application_Threat_Modeling OWASP Threat Dragon - https://www.owasp.org/index.php/OWASP_Threat_Dragon Emergent Design: https://adam.shostack.org/blog/2017/10/emergent-design-issues/ https://www.researchgate.net/profile/William_Yurcik/publication/228634178_Threat_Modeling_as_a_Basis_for_Security_Requirements/links/02bfe50d2367e32088000000.pdf Robert Hurlbut (workshop presenter at SourceCon Seattle) https://roberthurlbut.com/Resources/2017/NYMJCSC/Robert-Hurlbut-NYMJCSC-Learning-About-Threat-Modeling-10052017.pdf (much the same content as given at Source) Adam’s Threat modeling book http://amzn.to/2z2cNI1 -- sponsored link https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998/ref=mt_paperback?_encoding=UTF8&me= Is the book still applicable? New book What traps do people fall into? Attacker-centered, asset-centered approaches Close with “how do I get started on threat modeling?” SecShoggoth’s Class “intro to Re” Johari window? http://www.selfawareness.org.uk/news/understanding-the-johari-window-model
Steve Lipner is the Executive Director of SAFECode, a non-profit organization dedicated to increasing trust in ICT products and services. He retired in 2015 as Partner Director of Software Security at Microsoft, where he was the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode513 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly
Steve Lipner is the Executive Director of SAFECode, a non-profit organization dedicated to increasing trust in ICT products and services. He retired in 2015 as Partner Director of Software Security at Microsoft, where he was the creator and long-time leader of the Microsoft Security Development Lifecycle (SDL). Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode513 Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly
Steve Lipner of SAFECode joins us, Roi Abutbul and Guy Franco of Javelin Networks show us the importance of protecting AD, and we discuss the latest security news! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode513 Visit http://www.securityweekly.com for all the latest episodes! Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg Security Weekly Website: http://securityweekly.com Follow us on Twitter: @securityweekly
Steve Lipner of SAFECode joins us, Roi Abutbul and Guy Franco of Javelin Networks show us the importance of protecting AD, and we discuss the latest security news! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode513 Visit http://www.securityweekly.com for all the latest episodes!
© 2020-2025 Ivy Podcast Discovery LLC
