“I think we have a long way to go to get the broad understanding of what security really means in the development world.” — Steve Lipner
Steve Lipner has lead the Security Development Lifecycle team at Microsoft since 2004. The SDL initiative is a set of requirements for secure software development.
“The SDL is a set of requirements that developers have to meet. No matter how you are doing development, you have to meet those requirements. A lot of the SDL requirements are based on the application of automated tooling; build requirements, code analysis requirements, automated test tools… ” — Steve Lipner
I had an extended discussion with Steve about what the SDL is really for and how it is used at Microsoft. Along the way, we talked about how application security for the cloud is handled with the SDL, and how the disciplines of DevOps/Agile are taken into account.
“We’ve tried with the SDL to provide a discipline and a set of requirements for secure development, but at the same time, to do that in a way that enabled development groups to meet their customer requirements, to meet their market requirements, to meet their time limit requirements.” — Steve Lipner
Listen to the full interview:
Steve Lipner – The Security Development Lifecycle at Microsoft
Highlights of our discussion
00:33 History of Security Development Lifecycle at Microsoft
01:55 The purpose of the SDL Microsoft development groups
03:02 Native code vs components
03:53 How does DevOps and Agile fit into the Microsoft security roadmap
06:52 Where does SDL sit in the process of automated deployment
08:26 How are requirements enforced
10:20 The cloud and the SDL
11:25 Application security vs network security
12:01 Future vision of security
12:47 Tools for security
13:44 A future in security
About Steve Lipner
As the senior director of security engineering strategy in Microsoft Corp.’s Trustworthy Computing Group, Steve Lipner is responsible for Microsoft’s Security Development Lifecycle team, including the development of programs that provide improved product security and privacy to Microsoft® customers. Additionally, Lipner is responsible for Microsoft’s engineering strategies related to the company’s End to End Trust initiative, aimed at extending Trustworthy Computing to the Internet.
Lipner has more than 35 years experience as a researcher, development manager and general manager in information technology security, and is named as inventor on thirteen U.S. patents in the field of computer and network security. He holds both an S.B. and S.M. degree from the Massachusetts Institute of Technology, and attended the Harvard Business School’s Program for Management Development.