All Articles

Weekly CISO Podcast Pick: Steve Lipner on 55 Years of Software Security, SDL, and the Future of Assurance

Posted by Biswajit Banerjee on November 20, 2025 at 9:40pm in Blog

Member Contribution • Weekly CISO Podcast Pick

This Week’s Pick by David Cross (CISO, Atlassian)

Series curated by the CISO Platform community. Spotlighting practical listens for security leaders and their teams.

Advancing Cyber Origin Stories: Steve Lipner - Software Security Pioneer

David’s take: “A rare end to end history lesson - from mainframes and the Orange Book to Microsoft’s Security Development Lifecycle and today’s AI driven software supply chains. This is the context every security leader needs to explain why secure development and assurance really matter.”

 
Recommended by: David Cross, CISO, Atlassian
Why this pick: 55 years of software security lessons you can map directly to your SDL, SSDF and AI era assurance programs.
⏱ ~57 min Focus: software assurance • SDL • government assurance programs • secure development frameworks • AI and quantum era risk

Why this episode matters

  • Connects 55 years of history to today’s problems. From mainframes and multi level security to cloud and open source, Steve explains how yesterday’s ideas still shape today’s assurance debates.
  • Shows how SDL became an engineering discipline. The Microsoft security push and Trustworthy Computing memo turned “security initiatives” into a durable way of building software, not a side project.
  • Explains why secure development is necessary but not sufficient. Modern risk spans configuration, operations, incident response and third party/open source dependencies, not just first party code.
  • Frames AI and quantum through a security lens. From 40 percent vulnerable AI generated snippets to post quantum crypto, Steve connects hype to concrete engineering and migration work.
  • Gives practical advice for future custodians of security. Threat modeling, secure defaults, MFA and clear documentation remain the most reliable levers for resilience.

Copy-paste takeaways for your team

  • Treat SDL as a long term discipline, not a one off program: design requirements, training, tooling and response must live inside normal product engineering, not outside it.
  • Document how you meet NIST SSDF style expectations: write down policies for design review, threat modeling, secure coding, testing and response, and keep them current.
  • Inventory your “giblets” - all third party and open source components - and have a clear plan for patching and replacing them when vulnerabilities land.
  • Make “secure by default” a release gate: default configurations should resist common attacks without extra hardening by customers.
  • Assume AI generated code needs review: run static analysis and threat modeling on AI assisted code just like any other source, and track where you are using it.

Standout ideas discussed

  • The 15 to 18 year “security kernel” rabbit hole. Early attempts to enforce multi level security purely in kernels were academically elegant but commercially unusable, teaching the value of usability and market reality.
  • The Orange Book to Common Criteria journey. Government criteria started as feature and documentation heavy and only later grappled with how easy it is to write vulnerable software.
  • The Microsoft security push as culture change. Pausing feature work for thousands of engineers to focus on security, backed by the Trustworthy Computing memo, showed how leadership and engineering discipline must align.
  • Secure development is not enough in the cloud era. Operations, configuration, supply chain, open source and post quantum migration all sit beside SDL, not behind it.
  • AI and formal methods as double edged tools. AI can generate insecure code at scale, but better languages like Rust and modern verification techniques offer new ways to harden critical components.

Try this in the next 7 days

  1. Mini SDL health check: map one key product against a simple lifecycle (requirements, design, implementation, verification, release, response) and note where security activities are missing.
  2. Third party “giblets” review: pick a critical service and list all external libraries, open source components and services it depends on, then confirm how you track and patch them.
  3. Threat modeling workshop: run a 60 minute threat model on one internet facing flow, capturing assets, entry points, controls and the top three improvements.
 

About David Cross

David is CISO at Atlassian and a long-time community member at CISO Platform. His weekly picks are short-listed for practical signal - conversations that sharpen how we lead, not just what we deploy.

 

Want your pick featured next?

We’re building a rotating slate of member recommendations from USA, Middle East, and India. If you’re a CISO or security leader, submit a link and 3 bullets on why it matters.

Submit your recommendation (Members)

How we choose

  • Short, actionable outcomes for CISO teams
  • No product pitches
  • Useful beyond one region or vertical
 

Share this with your team

 
 
Views: 542
Tags: weekly podcast, david cross, steve lipner, ciso
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab