CIO Exchange Podcast

Whose Responsibility is Secure Software? with Steve Lipner, Executive Director of Safe Code, and Karen Worstell, VMWare Cyber Strategist

Episode Summary

In this episode, we speak with Steve Lipner, Executive Director of Safe Code, and Karen Worstell, VMWare Cyber Strategist. They discuss the new scale of DevSecOps, secure code, and safely adopting new technologies.

Episode Notes

In this episode, we speak with Steve Lipner, Executive Director of Safe Code, and Karen Worstell, VMWare Cyber Strategist. They discuss the new scale of DevSecOps, secure code, and safely adopting new technologies. 

Karen describes how modern operating environments differ from older ones, and the concerns involved with quickening development cycles. Steve explains the work of his nonprofit, Safe Code, and the importance of integrating security with a development cycle. They also discuss the future of cloud infrastructure and get into the benefits and possible pitfalls of Chat GPT.


Key Quotes:


"What’s really really different? The type of code we're writing has changed. The operating environment that we're pushing it into has changed. And the time cycle has really changed. It's a concern, to be honest. It's a benefit, but it's also something that worries people."


“The cycle has revved up tremendously and it's changed the way we work. So DevSecOps basically means that you've got this development cycle and then you've got the operations of it on an ongoing basis.”


"The role of the security team is to help organize, train, and equip so that the developers have the right processes, the right training. They know what a security bug looks like and why you don't want to have one. And the right equipment, the right tools to tell them when they need to do something differently and what to do about it."


"If you want a thousand person security team, then the way to do that is  to do all the audits and all the testing, and all the security reviews and all the compliance after the fact. If you want secure software out there this afternoon, the responsibility for building secure software has to be with the developers.  The role of the security team is to help organize, train, and equip so that the developers have the right processes, the right training."


“I think the truth of it is that in the technology world, where we're surrounded by new technology, and we're used to that cycle of new technology evolution and adopting it like early adopters, we can get out over the skis when it comes to the rest of the world…Technical debt is our biggest risk, my opinion.”


Time stamps:

(02:45) What DevSecOps means

(04:40) Leveraging DevSecOps as a leader

(08:20) The development cycle’s acceleration 

(10:05) Safe Code’s mission

(10:55) Old dev cycles vs. new ones

(12:05) Building a secure development model

(14:50) Difficulties behind a security push

(17:40) Recognizing the importance of security pushes

(19:55) Exploring the move to cloud

(21:00) How the modern world adopts new technology

(24:00) The risks of AI acceleration 

(30:05) Where to connect with Karen and Steve



Steve’s LinkedIn:

Steve’s website:

Steve on Twitter:

Karen’s LinkedIn:

CIO Exchange on Twitter:
Yadin Porter de León on Twitter: 

[Subscribe to the Podcast] 
On Apple Podcast: 
For more podcasts, video and in-depth research go to



cio, cio exchange, VMware, innovation, leadership, IT, information technology, technology, cto, cloud, multi-cloud, security, devops, devsecops, artificial intelligence, machine learning, AI, Chat GPT, development cycles, technology leadership, AI security

Episode Transcription

0:00:00.0 Steve Lipner: The role of the security team is to help organize, train, and equip so that the developers have the right processes, the right training, they know what a security bug looks like and why you don't wanna have one, and the right equipment, the right tools that tell them when they need to do something differently and what to do about it.

0:00:22.9 Yadin Porter De Leon: Welcome to the CIO Exchange Podcast, where we talk about what's working, what's not and what's next. I'm Yadin Porter de Leon. In this episode, I speak with Karen Worstell, VMware Cyber Strategist, and Steve Lipner, Executive Director of SAFECode and co-developer of the original Microsoft Secure Development Life Cycle model. They talk about the new scale of DevSecOps, secure code and how to safely adopt new technologies. Karen also describes how modern operating environments differ from older ones and the concerns she has with quickening development life cycles. Steve explains the work of his nonprofit, SAFECode, and the importance of combining security with development cycles. They also discussed the future of cloud infrastructure and get into the benefits and possible pitfalls of ChatGPT as it relates to the acceleration of security threats.

0:01:11.6 Yadin Porter De Leon: Steve, I'm so glad that you were able to join today and with us as well, which is great, we also have Karen Worstell. It was great that we kind of brought everyone together here because you two haven't actually spoken in a little while, have you? It's been a while. How long has it been since you guys have talked? 

0:01:23.5 Karen Worstell: Oh gosh. I kind of hate to admit like how many years it's been, but I think I left Microsoft in 2005 and maybe I've run into you at RSA a couple times since then.

0:01:34.7 Steve Lipner: That would've been my guess, that I've run into you at RSA a few times, but it has been a while.

0:01:40.7 Yadin Porter De Leon: Oh, it sounds crazy. ' Cause I know Steve, just you know, kind of backstory too, Karen, I have been wanting to do this topic for a long time and we're going through different people and finally she's like, "You know what, I have the perfect person. We have to talk to Steve Lipner." And I said, "Great, let's do it." So here we are. It's fantastic that Karen, you thought of Steve and that now you're talking to him even though it's been so long.

0:02:00.9 Karen Worstell: I'm grateful for Steve saying yes. This is gonna be fun.

0:02:03.5 Steve Lipner: It's very, very cool to be reconnected.

0:02:05.8 Yadin Porter De Leon: Fantastic. So I wanted to just... To get into it too, 'cause I know there's been emerging conversation actually, this is not a new conversation, which is how do you integrate a lot of these different elements of the software supply chain of operations, of developers and security, even though now there's a term that's DevSecOps, which is kind of the overarching story arc that we're talking about today. I wanted to just level set a little bit too. Talk about, Steve, maybe we could start with you, this is not a new conversation, do you feel like just having DevSecOps as a term, is that an inflection point? Is that a negative? Is it kind of something now this new term that means like everything to everyone? 

0:02:44.1 Steve Lipner: It's a little bit of a new term that means everything to everybody, as you say. When I was at Microsoft, we were largely focused on secure development, on building code that was secure. And then as the cloud and online services emerged as a more and more major part of the business, we evolved naturally to what's now called a DevSecOps discipline, where the developers were also responsible for operating the service and to the extent that they could, they did the system management, system operations with code rather than people pushing buttons or clicking on mouse, what have you. But because we had sort of integrated the secure development piece into what people were expected to do before that transition, how do we do this and still achieve this agility that we need for DevSecOps? At another point, how... We're going to do this and we're gonna keep the secure development 'cause we know why that's important. And so it was both a challenge to make that transition work, but also something that everybody knew they had to do.

0:04:00.9 Steve Lipner: No, that makes sense. And that fascinates me that what you talked about is, well how do you keep that agility? Because the business still has to be able to get products and services quickly to market, but at the same time, there has to be a good user experience and you have to have security and you have to have compliance. Those are absolutely critical. And maybe Karen, you can give me a sense of, when you use this new term, how do you think people and specifically technology leaders should think about it when they hear the term DevSecOps so they don't go off, the rails too much? When someone comes and says, DevSecOps, what's a great way from a business standpoint and a real security and development standpoint that they could leverage that term and use it in a way without kind of going in 15 different directions? 

0:04:37.2 Karen Worstell: Here's how I think about it from a IT perspective, is it you have dev, like you've gotta create new stuff and you've gotta get things out the door, you've gotta maintain it, and then you've got operations, which is where everything is running in production. And you've got this interface where stuff comes down the pipeline and either it's going to be released as production software like a Microsoft production software or a VMware production software, or it's an internal application that a company is developing for its own use. You've got all of this development cycle and it used to be that we did a whole lot of development, and then we had a big block point, and then we pushed it into production. And so development and operations, DevOps kind of had two camps. I think that's shifted and this is one of the things I'd really love to hear more from Steve about, but what I am hearing as I talk more and more to different groups is the cycle between the development and pushing it into production has accelerated to the point where it's not this big block point that people work on for months and then push it out the door. It's going in a cycle of days, if not hours, to get new functionality, new features, new stuff out there, constantly. And so the cycle has revved up tremendously and it's changed the way we work.

0:06:13.4 Karen Worstell: So DevSecOps basically means that you've got this development cycle, and then you've got the operations of it on an ongoing basis. What's really, really different, the type of code we're writing has changed, the operating environment that we're pushing it into has changed, and the cycle, the time cycle has really changed. It's a concern, to be honest. It's a benefit, but it's also something that worries people. Does that sound right to you, Steve? 

0:06:40.4 Steve Lipner: Yeah, it does. The other thing that I think is important about DevSecOps, the developers are developing, and then they meet a set of requirements and they push production, and so you don't have a separate operations group. Now the developers are done, we've tested it, it's ready, now we throw it over the wall to Ops, now they see if they can load it on to production servers, maybe they do a test environment before it goes live. No more of that. I mean, I'm sure that happens in some cases, but if it takes a half million lines of code, you're not gonna do that overnight. But if it's a small feature, if it's an incremental change, if it's changing the way something works or responds or a piece of user interface or something, you may be able to start from a concept or an idea and build some code, demonstrate it, and then make it live that afternoon.

0:07:40.7 Steve Lipner: There are a couple of pieces of security associated with that, part of them is that the development has to be secure, just like it would if you were doing a Windows release on a three-year cycle. And then the other part is that you have to sustain the operational security through that change. So who's authorized to make that push to the live site? How do you know that that change is authorized? How do you roll back if there's a problem? And so that code has to preserve the security of the operational enterprise.

0:08:18.0 Yadin Porter De Leon: So Steve and Karen, you both touched on something that was really, really critical, I think, which is the development cycle is accelerating. And one of the parts of the conversation around DevSecOps is how our organizations scaling that effort of securing with code of rapid deployment, but at the same time, how are they dealing with some of the risks involved in moving so quickly? What are you seeing as some of the ways that this new DevSecOps paradigm is addressing the scalability of that acceleration of deployment while maintaining security? 

0:08:47.3 Steve Lipner: I think a big component to the extent that you're writing code, there are tools and tests that you build into your development cycle, and the SDL model that we created, Microsoft starting in 2004, really made the testing and creation of secure code the responsibility of the development group, not some after the fact team. That helped.

0:09:12.3 Steve Lipner: And now if you're doing [0:09:14.5] ____ four hours after you started writing on a little project, those tools and tests and scans and assurance have to be part of that tool suite and development process that you run and they have to work in that in that four hours. That's a change. It can be less of a change than you'd expect, but if you're starting from a model, "Well, we're gonna build our code, and then we're gonna throw it over the wall and somebody else is gonna decide whether it's secure," no, no.

0:09:45.2 Karen Worstell: There's no way to do that over the fence. That has to be embedded in the process, as you described, Steve. I think one of the things that I hear from security teams is the concern that they don't have the bases covered with telling dev or having those processes embedded with the dev team. Well, let me ask you this question. Does it seem to you like there's still a lot of old mindset that people are trying to do modern apps or rapid DevOps using the older mindset and running into problems? Do you see that? 

0:10:20.3 Steve Lipner: Most of the people that I hang out with these days are members of SAFECode, this non-profit that I work for part-time. The SAFECode members have all committed to integrating security into their development life cycle. That's the right start to enable them to do DevOps or whatever, do it in an effective and responsive way. I've talked to some organizations that they wanna have a secure development process, but what that means is that they wanna have the security team on the tools, and then give the bugs back to the developers to fix. That's just a lose. It not only doesn't work for DevSecOps or Agile, it just doesn't work.

0:11:04.4 Karen Worstell: Well, that's kind of, I guess what I was alluding to is that in the old mindset, I always like to pass an audit, right? So in the old days, I'm dating myself, but when we do a dev cycle, and we might be working on something for some time and we'd have a block point and we have a quality control check and we'd have maybe a security review and we'd have all of these steps that we went through and all these boxes that we would check and artifacts that we would make to prove to the auditors that these things have been done. When I talk about older mindset, there's still this idea that somehow that's what we're gonna have to do in some way, in this new DevOps kind of cycle. And I agree with you, there's no way it scales and no way it works, but I do feel like there's people I talk to and probably not a part of SAFECode yet, maybe that's the first thing we should tell them is like, you gotta join SAFECode and hang out there. But there's this consternation, I don't know how to make this happen when we've got a dev cycle that's so rapid, so they're not adjusting maybe in all cases.

0:12:14.7 Steve Lipner: If you want a 1,000-person security team, then the way to do that is to do all the audits and all the testing and all the security reviews and all the compliance after the fact. If you want secure software out there this afternoon, then the responsibility for building secure software has to be with the developers. So then, what's the role of the security team? The role of the security team is to help organize, train and equip so that the developers have the right processes, the right training. They know what a security bug looks like and why you don't wanna have one and the right equipment, the right tools to tell them when they need to do something differently and what to do about it.

0:13:02.9 Steve Lipner: Then the other thing, I mean the historic auditor, the historic compliance model is to review artifacts. If I have to produce artifacts for the auditors, then there are two things wrong with that; one of them takes me time and the other is that it's pretty much guaranteed to fool the auditors. What I produce is at a distance from what's actually happening, and that distance is too often fatal. The artifacts that matter are the code and the tool outputs, the bugs and the workflow system and the threat models. Those are produced as side effects of developing and most of them can be validated very quickly with automation. I do a query on the bug tracking system and I know whether you fixed your static analysis bugs. I know whether you've set all the apples right. The secure development model is not only more effective, but it's probably better for Agile than the sort of old compliance model.

0:14:01.6 Karen Worstell: Yeah. Well to your point, the code is the artifact.

0:14:05.0 Steve Lipner: Right.

0:14:05.1 Karen Worstell: And it's the automated tools that help us be able to keep up with that pace.

0:14:09.7 Yadin Porter De Leon: I love that the conversation is going into, what kind of models need to be applied in order to be able to bring the different teams together and be able to produce the secure code in a way that it needs to be and have developers taking responsibility rather than people clicking on interfaces for security? And security people also needing to understand, like you said Steve, what's a bug and why is it bad to have one? What are all these different things that are gonna be issues that are actually developer things in a way that they can work together better? So I think it begs the question when a technology leader is trying to move towards a model that you two are talking about, what are some of the ways in which they can better facilitate communication between these different teams, organizing these different teams so that you can apply this model rather than trying to apply a model on top of something that's just gonna behave the way that it did before? Because everyone's ingrained in the way their teams are organized, the way that their metrics are measured. How does that shift start? If you're a technology leader, how do you start to move the team in that direction? What's the first step so that it all doesn't all apart when you try and do it? 

0:15:05.9 Steve Lipner: Actually starting with the security push, the Windows security push at Microsoft, when we started that, there was no real discipline at secure development. There were some pretty nascent static analysis tools.

0:15:19.5 Yadin Porter De Leon: That must have been extremely difficult. No discipline around secure software development.

0:15:23.9 Steve Lipner: Right. And so we made it up. The Windows security push, we started it out of the Windows security feature development team in the core operating system division. From day one, it was developer-driven trying to figure out how to build and deliver secure code. What would we do that seems like it would work to find and eliminate vulnerabilities? And what would we do that developers could actually do? We had some great ideas, we had some misses, we had some things that we did and then stopped doing. But the mindset was always developer-driven or developer audience. We built up the team from people with development experience and that was pretty instrumental in our being able to figure out what the right things to do were and also in our having the credibility to get the developers to actually listen to us.

0:16:23.0 Karen Worstell: I remember there was some pushback.


0:16:26.0 Yadin Porter De Leon: I was about to ask. [0:16:26.6] ____ 'cause I was about to ask.

[overlapping conversation]

0:16:27.0 Karen Worstell: I would say, I do remember that there was some pushback at one point and it took a production release delay. "This code is not shipping until we fix this." Is that... Am I remembering that right? 

0:16:39.3 Steve Lipner: Well, after we had the security development life cycle, the Windows security push and the other big product security pushes went pretty well. The more experience a product team had had with bad vulnerability reports and bad incidents, the more open it was to figuring out what are we gonna do about this? 

0:17:00.9 Karen Worstell: Well, and there was a big tone at the top.

0:17:02.8 Steve Lipner: Oh yeah, yeah.

0:17:03.7 Karen Worstell: I mean this was coming down from the top. This was the Gates memo...

0:17:07.4 Steve Lipner: Right.

0:17:08.0 Yadin Porter De Leon: Famous Gates memo, and then... And subsequent to that, I mean, is it Jim Allchin and... I mean, everybody was pretty onboard with that, I remember, right? 

0:17:18.2 Steve Lipner: Howard Schmidt and Craig Mundie worked a lot over a period of about a year to get the company to the point where Bill was convinced and agreed to sign off on the Trustworthy Computing commitment. And then when we went to a permanent forever commitment to the security development life cycle, Ballmer was the guy who signed off on that. But I remember when we made the SDL mandatory, floated out to a lot more teams than had been involved with security pushes, and their code was sort of a disaster at that time. We had what we call the final security review to sort of a combination of a pen test and rerun the tools and everything turned up yellow or red. We didn't just give them back the bugs that we found and say, "Fix these." We said, "Go back and do the process like it says in the document and come back to us and ask us to ship when you've done that." And they did.

0:18:20.9 Yadin Porter De Leon: So that was a whole sale, like establishment of a completely new discipline.

0:18:25.3 Karen Worstell: I mean, but it takes that beach head...

0:18:27.6 Steve Lipner: Yeah.

0:18:28.0 Karen Worstell: In order to get everybody's attention and say, "Oh yeah, this is not kind of like lip service. This is for real."

0:18:34.3 Yadin Porter De Leon: Yeah. And this was in the days after Code Red and the days after Nimda and the days after Slammer. So people understood what bad things could happen. But it's also a motivator to the developers. And so that actually made the job easier.

0:18:51.9 Karen Worstell: I wanna kind of set this in context because the era that we're talking about and that SDL and development of the Trustworthy Computing and the SDL that we lived through, I didn't spend as much time there as you did, but that was a different era. Windows security was a real huge problem and Microsoft is like, "We have to do something about this." Thanks to Howard and Mike and you and others. And so that was a different time. And what we have now is, I guess the closest thing I can think of to some of the security problems we were facing was if you had logged for a day over and over and over and over again, it would be that kind of a... To put it in a modern context, it'd be that kind of a situation.

0:19:40.0 Karen Worstell: And so it's at some point you go, "We cannot afford to keep being the one who keeps showing up in the news with this kind of bad press." Today, people are worried about a lot of things, but we've learned so much. We've learned a lot. I guess what I'm trying to explore here is, now that we're moving to the cloud, we've already got software-defined infrastructure, so we've got dev involved there, we've got traditional style applications sitting on cloud infrastructure and now we have modern apps sitting on cloud infrastructure. I think I saw a statistic recently that API traffic was 50% of the traffic on the internet.

0:20:27.0 Yadin Porter De Leon: That's telling. That's really telling.

0:20:28.6 Karen Worstell: So that gives you some idea of the scale of what's happening, that people are literally taking all these little fragments of code and hanging everything together with APIs. It's like, "This is a whole new rodeo." And I'm wondering if we're gonna see another shift happen, another... Like a big a-ha moment of going, "Oh my gosh, we should have been doing this differently." Is there something like that out there, or do you think we've got it all... The SAFECode have it all figured out? 

0:20:56.3 Steve Lipner: The challenge is that it's too easy to learn to program without learning this program securely. And if you get a degree in computer science, you know about algorithms, which means you know about time and how long it takes to compute something, and you know about data structures which means you know about space and you know how to access data and security is part of learning the program, like data structures, like algorithms, very few computer science departments do it that way. There's either no computer science class, or there is an elective that teaches you about encryption and firewalls or something.

0:21:39.6 Karen Worstell: It's still pretty old school.

0:21:41.4 Steve Lipner: Yeah, yeah.

0:21:41.7 Yadin Porter De Leon: That's interesting to hear is that you haven't integrated some of the new things that are already out in the industry. Why that hasn't flowed back into the academics and in training and making sure the next generation of coders, you would assume, would be doing it more securely, but maybe that's just not the case.

0:21:58.4 Karen Worstell: I'm gonna offer an opinion, and I'd be really interested in the feedback from people who are listening, what they think about this and what Steve thinks about this, but I think the truth of it is is that in the technology world where we're surrounded by new technology and we're used to that cycle of new technology evolution and adopting it like early adopters, we can get kinda out over the skis when it comes to the rest of the world. Academia, it takes time to build the new courses, build the new curriculum, get that all approved and get everything all pulled together, right? They can't just turn on a dime and say, "Oh, it's a new world and we're gonna just change now." And the same is true with legacy infrastructures in these companies where they're making incremental changes towards modernization, but as we've seen in the news in recent events, technical debt is our biggest risk, in my opinion. And so we look at it and we go, "Oh, how come you're not doing this yet?" It's not that easy. It's like a gigantic boat anchor and chain that has to get pulled along with this before they can start to navigate a new course, and then I think it's gonna slow people down quite a bit.

0:23:14.9 Yadin Porter De Leon: I'm actually enamored with this idea of adopting new technology, Karen and Steve. I'd like both to talk about, I'm gonna throw a just a little bit of a curveball in here 'cause it's something that I think is really incredibly right now, it's emerging and people are talking about it and that's GPT3 and AI writing code and AI looking at code and debugging code, but then AI looking at code and finding exploits for code. And you're typing into a chatbot and it's actually finding legitimate exploits in code, whether it's on the Ethereum network or whether it's in a database. It's mind-blowing how, and how fast this curve is gonna go now and how there's so many different teams and so many different models that we're not gonna be able to keep up with it. I would love to hear just your thoughts. It's new and it's fascinating, but also it's kind of scary. What are some of the risks, I mean, serious risks or some of the concerns that you have with now AI sort of accelerating all the different risks you're talking about? 

0:24:06.8 Steve Lipner: If I train my AI to write code on a training set that's all been developed without any attention to security, then guess what it's gonna do? 


0:24:17.2 Yadin Porter De Leon: Yes, exactly.

0:24:20.1 Karen Worstell: [0:24:20.1] ____.

[overlapping conversation]

0:24:21.5 Yadin Porter De Leon: Yes, exactly.

0:24:22.0 Karen Worstell: We've been playing around with it quite a bit. In fact, I wrote a blog post which should be going out here pretty soon, and ChatGPT was just hugely helpful.

0:24:30.2 Yadin Porter De Leon: It's fabulous.

0:24:31.8 Karen Worstell: Yeah. So that was amazing. But the other thing we've been playing around with here on the exploits, first of all, it's excellent at pen testing, it finds things and it does it really quickly. That's pretty cool. So using it to do code reviews, if you've trained it properly and you have confidence in that, and maybe that's a process, you could use that to help automate part of the code review process. The other thing that we saw to kind of assuage the fears, I think ChatGPT seems to have some ethics, and so we tried to get it to write exploit code and it refused.

0:25:10.5 Yadin Porter De Leon: 'Cause you weren't in kernel mode. If you're in kernel mode Karen, you could pretty much make it do whatever you want it to do. [chuckle]

0:25:16.3 Karen Worstell: Right, that might... Well, it raises a bunch of questions which are probably the subject for a whole another podcast, right? 

0:25:23.2 Yadin Porter De Leon: Oh yeah, absolutely. We gotta bring... We gotta come back and talk about this some more for sure. [laughter]

0:25:27.8 Karen Worstell: Yeah.

0:25:29.3 Yadin Porter De Leon: But I see Steve, you have a big smile on your face for those who are just listening, of course. Steve's got this huge smile on his face. [laughter]

0:25:34.8 Steve Lipner: Well I'm just thinking about ChatGPT using... Doing penetration tests. I don't know a lot about what the experience with it has been, but... Well, you're not gonna get perfection that way. You're not gonna get perfection any other way either. That use of AI can either be a really good thing or a really bad thing.


0:25:56.0 Karen Worstell: It can go both ways. Well, that's like almost every invention, right? Insecurity and...

0:26:00.9 Yadin Porter De Leon: Yeah. One of my favorite quotes is that the person who invented the car invented the car crash.

0:26:05.1 Steve Lipner: Right.

0:26:05.5 Yadin Porter De Leon: 'Cause there wasn't a car crash before the car was invented. They're inventing the AI exploit. They're inventing the AI meltdown. Whatever comes of it, they've just invented. Maybe they don't know what they've invented it yet. Are we gonna end up in a certain point where you've got security teams and developer teams training AI models where an AI produces code, and then it sips it to another AI who reviews the code and then sends the bugs back, and then the AI rewrites it and that that cycle further accelerates, the development life cycle that we're doing right now? Or do you feel like there's just gonna be way more human involvement than that? 

0:26:34.2 Karen Worstell: You're kind of describing open source.

0:26:36.5 Yadin Porter De Leon: Yeah. [laughter]

0:26:40.0 Steve Lipner: Open source, I mean, there's a very depressing report out of the Harvard Business School from end of 2020 where they did a sample survey of Open Source developers about security. They got a response back that people just couldn't be bothered with security. It was a mind-numbing bureaucratic task. That was sort of the takeaway from the report. And the government involved trying to get people, open source developers, open source projects, committed to doing their work securely. I think that's super important. You're building on this base that I was talking about, developers who were never exposed to the notion that their code had to be secure when they learned a program. How you do that is problematic. Karen brought up open source in the context of the ChatGPT. I mean the interesting... To take ChatGPT or one of the automatic coding tools and hook it up in a feedback loop with one of the static analysis tools or one of the buzzers...

0:27:50.3 Yadin Porter De Leon: Hm, interesting, yeah, and see what happens.

0:27:51.6 Steve Lipner: Write code, run the static analysis tool on it and see if the tool learns to write secure code over time.

0:28:00.3 Yadin Porter De Leon: I imagine someone's doing that right now [laughter] at this moment.

0:28:02.2 Karen Worstell: Oh I'm sure. I would say... I would offer that I think people are never gonna be out of the loop, because the truth of it is, is that if I have... Whether it's a developer or whether it's ChatGPT or whatever other AI is generating code snippets and this is all being entered into a code base, and then the next person assumes that it's been reviewed and vetted and uses it, and the next person uses it, and we get this multiplication of tiny errors, pretty soon you have a completely corrupted code base. If I were a bad guy, that's what I would do.

0:28:39.3 Steve Lipner: It's not stack-based level overruns that are worrying people now, but design errors where you don't just run a tool and find the design errors. That's where the training becomes important. Maybe the AI can help with that too.


0:28:55.5 Yadin Porter De Leon: Karen, I think we both said we could have done a whole episode just on this piece alone, but I love the fact that you just touched on it a little bit because I thought it... Especially now, I think it's really relevant when you're looking at, especially building a whole new, whether it's an SDL or whether it's a DevSecOps practice, this is now really just destabilizing the whole idea of what it is to write code and review code and what the tools of those who are trying to find exploits, what those tools are and how easy they are to use. So with that, I kind of wanted to just give the listeners a chance to, Steve, where can people find out more about SAFECode? Where can they find out more about you? 

0:29:30.8 Steve Lipner: I tweet very occasionally, and my Twitter handle is just @lipner, L-I-P-N-E-R. My personal website is The SAFECode website is SAFECode, S-A-F-E-C-O-D-E dot org. There's free guidance, there are training courses, lot of resources for organizations or individuals that are trying to learn about secure development.

0:29:55.0 Yadin Porter De Leon: That's fascinating too. It's been great, Steve. Karen, where can people find out more about you? 

0:30:00.1 Karen Worstell: LinkedIn. I love it when people connect with me on LinkedIn. And I'm under Karen Worstell.

0:30:06.8 Yadin Porter De Leon: Fabulous. Well, Steve, Karen, it's a phenomenal, fascinating conversation. I think it could have gone a million different directions, [chuckle] and I wish we could talk more, but I think we're gonna have to wrap it up here. I really appreciate both of you joining the CIO Exchange Podcast.

0:30:17.9 Steve Lipner: Thanks for having us.

0:30:19.1 Karen Worstell: Thank you for having us. This has been really fun.

0:30:21.0 Steve Lipner: This was fun. Thank you.

0:30:22.2 Karen Worstell: Take care.


0:30:23.7 Yadin Porter De Leon: Thank you for listening to this latest episode. Please consider subscribing to the show on Apple Podcasts, Spotify, or wherever you get your podcasts. And for more insights from technology leaders as well as global research on key topics, visit