Writing Secure Programs, An Interview with Steve Lipner, by Peter J. Denning

Abstract

Editor's Introduction: Protecting computing systems and networks from attackers and data theft is an enormously complicated problem. The individual operating systems are complex (typically more than 40 million lines of code), they are connected to an enormous Internet (on order of 1 billion hosts), and the whole network is heavily populated (more than 2.3 billion users). Hunting down and patching vulnerabilities is a losing game. Steve Lipner, partner director of program management in Trustworthy Computing Security at Microsoft, has been involved in securing systems for nearly 40 years and has learned how to make security better. His responsibilities encompass Microsoft’s process for assuring the security of its products and online services— the Security Development Lifecycle (SDL)—as well as a variety of programs related to government evaluations of the security and integrity of Microsoft products and services. Lipner has been a consultant, researcher, development manager, and corporate executive in what we refer to today as “cyber security.” Here he shares his experiences in what has and has not worked. He sees by far the best results when programmers adopt secure development practices. (Peter J. Denning Editor-in-Chief)