Steve Lipner

Cybersecurity

Curriculum Vitae

Steven B. Lipner
Seattle Washington
lipner at outlook dot com

Education

S.B. in Civil Engineering, Massachusetts Institute of Technology
S.M. in Civil Engineering, Massachusetts Institute of Technology
Program for Management Development, Harvard Business School

Career History

SAFECode, 2016 - present
Wakefield, MA
Executive Director

Institute for Software Research, School of Computer Science, Carnegie Mellon University, 2016 - present
Pittsburgh, PA
Adjunct Professor of Computer Science

Microsoft Corporation, 1999 - 2015
Redmond, WA
Partner Director of Software Security

Mitretek Systems (now Noblis), 1997 - 1999
McLean, VA
Director, Systems Technology Center

Trusted Information Systems, 1994 - 1997
Glenwood, MD   
Executive Vice President

MITRE Corporation, 1992 - 1994
McLean, VA
Director of Information Systems

Digital Equipment Corporation, 1981 - 1992
Littleton, MA
Group Engineering Manager, Secure Systems Group

MITRE Corporation, 1969 - 1981
Bedford, MA
Associate Department Head

Awards and Honors

National Academy of Engineering, 2017

SAFECode Steve Lipner Software Security Assurance Award, 2016

National Cybersecurity Hall of Fame (Class of 2015)

ACM SIGSAC Outstanding Contributions Award, 2015

ISSA Hall of Fame, 2010

Microsoft Trustworthy Computing Award for Security, 2005

Applied Computer Security Associates (ACSA) Distinguished Practitioner Award, 2004

Hertz Graduate Fellow, Massachusetts Institute of Technology

Career Highlights

Steven B. Lipner is the executive director of SAFECode, a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. As executive director, Lipner serves as an ex officio member of the SAFECode board. In addition to providing strategic and technical leadership, his responsibilities include representing SAFECode to IT user and development organizations, to policymakers, and to the media.

Lipner is the creator and long-time leader of Microsoft's Security Development Lifecycle (SDL) team that defines the SDL, develops associated tools and processes, and assists product and online service engineering groups as they integrate the SDL into their development activities. Lipner also established and led activities to make the SDL available to organizations beyond Microsoft. He retired from Microsoft in 2015 after more than fifteen years of service.

Lipner joined Microsoft in 1999 and was initially responsible for the Microsoft Security Response Center. In the aftermath of the major computer "worm" incidents of 2001, Lipner and his team formulated and led programs that helped customers respond to the immediate challenges posed by software vulnerabilities and Internet worms. Lipner and his team also developed the strategy of "security pushes" that, as part of the Trustworthy Computing initiative, stopped all development by more than 8,000 Windows developers to focus on immediate security improvements. This strategy enabled Microsoft to make rapid improvements in the security of its software and to change the corporate culture to emphasize product security. The SDL is the product of these improvements and is widely viewed as the industry's leading secure software development process. 

Lipner has been a leader in industry efforts to improve software security and to provide customers with confidence in product security. As a director and board chair of SAFECode while at Microsoft, he played a leading role in industry efforts to advance and share techniques for secure software development.  His keynote at the 2004 International Common Criteria Conference and his subsequent engagement with the Common Criteria community initiated a reexamination of the effectiveness of the Common Criteria that culminated in new more cost-effective and realistic approaches to product evaluation.

Before joining Microsoft, Lipner worked for software vendors and government contractors as a researcher, consultant, development manager, and general manager in IT security. At Mitretek Systems, he served as the executive agent for the U.S. Government's Infosec Research Council (IRC) and was a co-author of the initial IRC Hard Problems List.  At Trusted Information Systems (TIS), he led the Gauntlet Firewall business unit whose success was the basis for TIS' 1996 Initial Public Offering. Lipner was also the primary inventor of the TIS cryptographic key recovery technology.

During his eleven years at Digital Equipment Corporation, Lipner led and made technical contributions to the development of a variety of security products. These included a highly secure operating system (VAX SVS) that was targeted at A1 evaluation under the Trusted Computer systems Evaluation Criteria (Orange Book), an Ethernet encryption system, a security configuration management product, and a public key-based authentication system. Lipner also contributed to the design of Digital's operating system that achieved B1 evaluation under the Orange Book (SE/VMS) and drove the technical response to malicious intrusions into Digital's internal network. 

While at the MITRE Corporation, Lipner made significant contributions that helped set the direction of computer security research for the next twenty years. He originated the approach of using a Virtual Machine Monitor to achieve multilevel security and managed the teams that developed the Bell-LaPadula model for multilevel security, and prototyped the application of the model in a security kernel for the PDP-11/45.

Throughout his career, Lipner has been a contributor to government and industry efforts to improve cybersecurity. He was a member of the Air Force Computer Security Technology Planning Study Panel that produced the Anderson Report, and a key industry reviewer and contributor to the development of the Orange Book. Lipner was one of the founding members of the U.S. Government Information Security and Privacy Advisory Board and has served a total of over ten years in two terms on the board.  He has been a member of ten National Research Council committees.