CCS 2007

Keynote Talk

Assurance and Evaluation: What Next?

Tuesday, 30 October 2007
9:30 - 10:30 AM

Speaker: Steve Lipner,
Microsoft Corporation
Redmond, WA, USA
slipner [at]


This talk presents some observations on the nature of system security and security assurance, and on processes that attempt to evaluate assurance. Over the past forty years, approaches to assuring software security have evolved from “penetrate and patch” through attempts to prove security to application of automated tools that help developers detect and remove potential vulnerabilities. A review of that evolution leads to some observations on the effectiveness and practicality of various approaches and to the conclusion that the most theoretically appealing approaches may not be the most practical or likely to succeed.

The talk then considers the processes by which user organizations, primarily governments, have attempted to evaluate product security. A review of historic approaches to evaluation supports the conclusion that past evaluation regimes have achieved limited success. The talk suggests some attributes of approaches to evaluation better suited to the realities of processes that achieve security assurance and more likely to provide valuable information to end users.

Speaker Biography:

Steve Lipner is Senior Director of Security Engineering Strategy in Trustworthy Computing at Microsoft. He is responsible for the definition and updating of the Security Development Lifecycle that Microsoft applies to improve the security and privacy of its products. He is also responsible for Microsoft’s policies and strategies for the security evaluation of its products. Mr. Lipner has over thirty years’ experience as a researcher, development manager, and general manager in IT security and is named as co-inventor on eleven patents in the field of computer and network security. He holds S.B. and S.M. degrees from M.I.T. and is coauthor of The Security Development Lifecycle.