This isn't exactly the list I would have drawn up, and I must be having a bad year, since I'm not on it <g>, but my friend Michael Howard is on the list. You can check it out here:
My personal list would be a bit different, but this one is pretty good. I won't call most of them out here, since most of them tend to avoid publicity, but here's some people to consider:
- One of the smartest security guys I know – once found a very large number of security bugs in Windows with "notepad and me brain". He's done as much to improve kernel level security as anyone I know.
- A quiet security architect in Windows who has been responsible for huge numbers of improvements, like the impersonation privilege that shut down a whole class of attacks.
- Another quiet security architect who rarely makes noise in public who's been responsible for shutting down vast numbers of information disclosure leaks in Windows.
- A PowerPoint dev manager who deserves huge credit for driving up code quality levels, not only in his own product, but across Office and Microsoft.
- A couple of quiet guys in Excel who really get security and deserve a lot of credit for making their app better.
- Another very quiet security guy who came up with LUA and integrity levels – not perfect, but it's a huge improvement.
- The tester in Access that enabled us to do massively distributed fuzzing.
- The IIS team for going from a mess in IIS 5 to a truly stellar record in IIS 6
- Same thing for SQL – used to be a security mess, now it's really solid – and thanks to NGS for helping
10-10,000 or so – all those people in the code every day who really get it and strive to deliver secure products, no matter where they work. I've left off a lot of people, but my main point is that the people that matter the most aren't always the most visible, and some of the people that are most visible aren't doing a whole lot to really help users – and that's what matters. There's some that manage to do both.
This brings me back to a thought I had while reading this post to the SDL blog –
It's pretty astonishing how badly they've fouled up something this important, and I agree that the elements of the SDL could have helped, but the really important missing ingredient is people in the trenches that really care about security, and management that sets this as a priority. Without that intangible, you can have all the SDL you want, and it won't matter. With those people who truly have their mind in the game and understand that quality must imply security, the SDL becomes a checklist to make sure you didn't forget anything. It's those people in the code day in and day out who I think have the most influence – and you'll never see most of them in public.