Episode 7: Steve Lipner of SAFECODE on Supply Chain Security - Is It Even Possible?



When it comes to secure software development, Steve Lipner is one of those information security industry leaders who was there at the creation, so to speak. Lipner, the current Executive Director of the non-profit SafeCode, served as the Director of the Microsoft Security Response Center (MSRC) and from 2004 to 2013 - a critical period that saw Bill Gates issue his famous “Trustworthy Computing memo” and saw Microsoft launch the now renowned Security Development Lifecycle (SDL) initiative, which Lipner oversaw. As part of SafeCode, Lipner has worked to promote secure development principles more widely in industry. SafeCode provides free resources on secure software development as well as advice and recommendations for development organizations in the form of white papers, blog posts, social media posts, and more.

ConversingLabs host Paul Roberts chatted with Lipner as a part of our ConversingLabs Cafe series of chats at the recent 2022 RSA Conference in San Francisco.

In this conversation, Lipner explains what secure software is, recounts his own experiences on Microsoft’s Software Security Development Lifecycle Team at as the point of the spear in Microsoft’s Trustworthy Computing Initiative. Lipner stresses that secure software must come from within (so to speak). Outside consultants may be able to promote best practices, but they will never be able to grasp what needs fixing as well as members of your own development team. That’s why an organization’s developers need to be trained and motivated to write secure code, which means seeing mistakes as they write code and throughout the entire development process.

Lipner also talks about the Biden Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity, released in May 2021. Lipner believes that the impact of the EO is still a work in progress. He noted that Safe Code’s member companies have made it a priority to demonstrate that they are meeting the requirements set forth in the EO. He’s particularly a “fan” of Section 4 of the EO, which lists the requirements for a robust software security program.

Check out their conversation below!

Watch the Podcast