Secure by Design: A Guide to Assessing Software Security Practices
Wednesday, December 17, 2025 | 1:00 P.M. EST
Security isn’t just a feature, it’s a foundation. As cyber threats grow more sophisticated and regulations tighten, developers are being asked to do more than just write clean code. They’re being asked to build software that’s secure by design throughout its lifetime.
Secure by Design: A Guide to Assessing Software Security Practices offers a practical, evaluable framework for building and verifying software security from the ground up. Developed by the Center for Internet Security® (CIS®) in collaboration with the Software Assurance Forum for Excellence in Code (SAFECode) and a community of experts, this guide helps organizations align their development practices with proven security principles.
By attending this webinar, you’ll learn:
- How to identify and strengthen six essential areas of software security practice, giving your team a clear roadmap for embedding security into every stage of development.
- How to apply secure‑by‑design principles to improve resilience and meet compliance requirements, ensuring your software is built to withstand evolving threats and align with industry regulations.
- How to evaluate whether AI and machine learning will enhance or undermine your security efforts, helping you separate hype from reality and make informed decisions about emerging technologies.
About Our Presenters
Curt Dukes
Executive Vice President and General Manager, Security Best Practices
Curt Dukes joined CIS as the Executive Vice President and General Manager of the Best Practices and Automation Group in January 2017. The CIS Benchmarks® and CIS Controls® program provides vendor-agnostic, consensus-based best practices to help organizations assess and improve their security. Prior to CIS, he served as the Director, Information Assurance for the National Security Agency, Central Security Service. In that role Curt was responsible for securing systems that handle classified and critical information for military and intelligence activities. Dukes earned a Bachelor’s Degree in Computer Science from the University of Florida, and a Master’s Degree in Computer Science from Johns Hopkins University. He is a 2004 graduate of the Intelligence Community Officer Training Program.
Phyllis Lee
Vice President of Security Best Practices Content Development
Phyllis Lee has over 25 years of experience in information assurance and has performed vulnerability assessments, virtualization research, and worked in security automation. Prior to joining CIS, Lee worked at the National Security Agency (NSA) focusing on the intersection between malware and virtualization, which included collaboration with MIT Lincoln Labs. Lee also participated in a variety of security automation standardization efforts and led the security automation strategy for the NSA Information Assurance Directorate (IAD). She graduated from Johns Hopkins University with a Master of Science in computer science.
Steve Lipner
Executive Director, SAFECode
Steve Lipner is the executive director of SAFECode, an industry nonprofit focused on software security assurance. He was previously partner director of software security at Microsoft where he was the creator and long-time leader of the Security Development Lifecycle (SDL) and was responsible for software integrity policies and government security evaluations. Lipner also serves as the chair of the U.S. Government’s Information Security and Privacy Advisory Board. He has more than a half century of experience in cybersecurity as researcher, engineer, and development manager and is named as coinventor on twelve U.S. patents. He is a member of the National Academy of Engineering and the National Cybersecurity Hall of Fame.
Tony Rutkowski
CIS Controls Ambassador
Tony Rutkowski is an engineer-lawyer with an extremely diverse, sixty-year professional career spanning the telecommunication, mobile, internet, satellite, and broadcasting fields in the U.S. and Europe where he has shaped major technical and legal developments in senior governmental, company, and academic leadership positions at international, national, and local levels. His roles have been focused on network security initiatives relating to cybersecurity, infrastructure protection, extraterritorial security law, and lawful interception for new networks and services. Currently, he represents the Center for Internet Security. Over the past several years, he has assumed rapporteur responsibilities in the ETSI Cyber Security Technical Committee for a number of major specifications and reports.
Positions included the private-sector (VeriSign, SAIC, General Magic, Sprint, Horizon House, Pan American Engineering, General Electric Apollo Systems) government (FCC, International Telecommunication Union, Cape Canaveral City Council), academic (Internet Society, MIT, and NY Law School).