All of us at SAFECode are looking forward to working with our new Executive Director Steve Lipner, appointed December 1, 2016. While all of the SAFECode board members have been privileged to work closely with Steve over many years, we thought you’d enjoy learning more about him. We took a moment to ask Steve a few questions.
Q: What are some of the most important security trends you’re watching?
LIPNER: For several years now, we’ve seen the transition of security from “hacking” which demonstrated system weaknesses to a more motivated and targeted phenomenon. I don’t like the phrase “Advanced Persistent Threat” (APT) but we are seeing competent and well-resourced adversaries conducting well-planned attacks targeting individuals as well as private and public sector organizations. Another major trend is the increase in the interconnectedness of services, devices and sensors – not only the growth of online services but the emergence of the Internet of Things (IoT) make security much more important. Software security assurance is fundamental to protecting users, devices, and services of all kinds.
Q: Which of these risks do you view as most important to businesses, and why? Which will pose the greatest risk if not addressed?
LIPNER: The risks to businesses depend on their specific dependence on technology, but the growth of malicious attackers combines with the expectation of universal connectivity to make security much more important than it was ten or fifteen years ago. Businesses must have secure systems and software, securely operated and administered.
Q: What’s in store for SAFECode moving forward?
LIPNER: The members of SAFECode will continue to collaborate to share new techniques for making software more secure. As new paradigms emerge, we’ll be thinking about their implications for development, and creating, sharing, and making public new approaches to addressing the challenges those paradigms pose. You should expect to see content related to the secure use of third party components, threat modeling and supply chain early in 2017.
Q: What are some of the specific security threats you see moving forward? Are businesses addressing these threats now?
LIPNER: I talked about competent and malicious attackers whose presence increases the importance of secure software and systems securely operated and administered. New classes of vulnerabilities and attacks continue to be discovered, and it’s very important that businesses address those vulnerabilities and attacks by incorporating security measures and continuous improvement in their practices. Many development organizations are doing this and SAFECode wants to make it easier for even more to do so.
Q: What are some of the best practices businesses can implement to protect against these risks as these threats continue to grow?
LIPNER: Train your developers to build secure code – and SAFECode’s free, on-demand training courses are a great resource to build on – and apply secure development practices as described in the SAFECode’s Fundamental Practices for Secure Software Development. document – along with other free resources available for download from the SAFECode website.