SAFECode is getting new leadership with the appointment of Steven Lipner as Executive Director. Lipner officially took the top job at SAFEcode on December 1, succeeding former U.S federal government cybersecurity co-ordinator Howard Schmidt. In his new role, Lipner will bring his expertise as one of the founders of the Secure Development Lifecycle (SDL) methodology at Microsoft, to SAFECode.
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit effort, supported by multiple organizations, in an effort to help identify and advance best practices for secure software development.
“The members are under a mutual non-disclosure agreement which enables them to share some internal techniques and documents from time to time,” Lipner told eWEEK. “Basically members work together to collaborate on secure development.”
SAFEcode members include Adobe Systems Incorporated, CA Technologies, Dell EMC, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp.
Additionally, Lipner said that SAFEcode also works to share best practices externally as well, with free secure development training material as well as documents about security best practices.
Lipner had previously worked at Microsoft from 1999 until his retirement in April 2015. From 2011 until he retired from Microsoft, he also served as a board member at SAFEcode. Lipner is known for his security work at Microsoft where he helped to create and lead the company’s Security Development Lifecycle (SDL) team. The SDL effort was first implemented by Microsoft in 2004, with the basic idea being to have integrated security by default in both the design and deployment of software. It’s an approach that also led Microsoft to develop a regular patching system as part of a new lifecycle for keeping its customers and its software secure.
As to why Lipner is joining SAFEcode, he said that he sees it as a way to continue his commitment to secure development and make an impact across the industry.
“Secure development is as important today, if not more-so, than it was 10 or 15 years ago,” Lipner said.
There are a number of things that Lipner sees missing in IT security today. Among the big challenges, according to Lipner, is that new developers often are unaware of the importance of secure development. The other item that is an ongoing concern is the level of education among organizations about how to build a secure development program.
While software development frameworks that directly integrate security are helpful, Lipner emphasized that developers still have to be responsible for their own code.
“The more that tools can do for developers, with built-in security mechanisms that help developers from making mistakes, the better off code will be,” Lipner said. “That said, there is always still the need for developers to be paying attention, to make sure that what he or she is developing is secure code.”
Building secure code isn’t about simply lifting the Microsoft SDL model that Lipner helped to pioneer and bringing it to other organizations. He noted that every organization has its own development style and preferences for which tools are used.
“SDL is not a one size fits all approach,” Lipner said. “Though there are common elements across secure development processes and SAFEcode has released the fundamental practices for security development document and updated it over the years, tracking the things that are common.”
“Organizations can start with the fundamentals, but they still have to adapt to the needs of their own developers,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist