Three Women Who Reshaped Application Security

Every AppSec team today works with concepts that didn’t exist twenty years ago: threat modeling as a formal discipline, browser-level encryption by default, coordinated vulnerability disclosure through international standards. These are the results of people doing difficult, unglamorous work over many years.

This International Women’s Day, we want to tell the stories of three of those people. Not because they need a holiday to be recognized — their CVEs, standards, and shipped code speak for themselves. But because their paths into security, and the impact they’ve had, are genuinely worth knowing about.

 

Window Snyder: Security as a Development Practice

In the early 2000s, the prevailing approach to software security was reactive: ship first, patch later. Window Snyder was part of the Microsoft team that pioneered a different model. As a senior security strategist, she co-developed the Security Development Lifecycle (SDL) — a framework that integrated security into every stage of the development process. She led security signoff on Windows XP Service Pack 2, widely regarded as Microsoft’s first serious attempt at secure-by-default design.

Snyder also created the Blue Hat conference, one of the first initiatives to bring external security researchers inside a major software company for collaborative dialogue — a radical idea at a time when most vendors viewed researchers with suspicion.

At Apple, she was the sole product manager for security and privacy across the entire product line. Her guiding principle was deceptively simple: the best way to protect user data is to collect less of it. That thinking shaped Apple’s privacy architecture during the years when smartphones went from gadgets to extensions of our identities. 

She went on to serve as CSO at Fastly, Intel, and Square, and in 2020 founded Thistle Technologies to address security in IoT devices. She is also co-author of “Threat Modeling,” still a go-to reference for AppSec practitioners.

 

Parisa Tabriz: Encrypting the Web, One Percent at a Time

When Parisa Tabriz joined Google in 2007, fresh from the University of Illinois, there were about 50 security engineers at the company. Today there are over 500, and Tabriz is VP and General Manager of Google Chrome and head of Project Zero, Google’s elite vulnerability research team.

The numbers behind her work are striking. In 2013, when Tabriz took over Chrome security, less than half of web traffic seen by the browser was encrypted. She led a sustained, years-long push for HTTPS adoption — working with site operators, certificate authorities, and the Chrome UX team to make encryption the default rather than the exception. By 2019, encrypted traffic in Chrome had reached 73–95% across platforms. That’s billions of users whose browsing became meaningfully more secure.

Her 2018 Black Hat keynote called for something the security industry often struggles with: tackling root causes rather than symptoms. Instead of chasing individual bugs, she argued, invest in architectural improvements that eliminate entire classes of vulnerabilities. That same year, she co-founded OURSA, a pop-up security conference created in five days with 14 speakers, to broaden the range of voices in security conversations. She has also consulted for the White House U.S. Digital Service and volunteers to teach kids about hacking at DEFCON.

 

Katie Moussouris: Building the Bridge Between Hackers and Organizations

The idea of paying outside hackers to find vulnerabilities in your own products used to be controversial. Katie Moussouris is a major reason it isn’t anymore. At Microsoft, she created the company’s first bug bounty program and launched Microsoft Vulnerability Research, which formalized multiparty vulnerability coordination across hardware and software supply chains. The BlueHat Prize she initiated awarded over $260,000 for advances in exploit mitigation — the largest vendor payout of its kind at the time.

She then led the launch of “Hack the Pentagon,” the U.S. Department of Defense’s first bug bounty program, which identified and resolved 138 vulnerabilities in public-facing DoD systems. The program demonstrated that crowdsourced security could work at the highest levels of government and has since been followed by similar initiatives across federal agencies.

Moussouris also co-authored ISO 29147 (vulnerability disclosure) and ISO 30111 (vulnerability handling processes) — international standards that now guide how organizations worldwide work with security researchers. As founder and CEO of Luta Security, she advises governments and enterprises on building mature, sustainable vulnerability management programs. 

She serves on three U.S. government advisory boards for cybersecurity, and has testified before Congress on topics ranging from supply chain security to export controls for intrusion software.

 

Happy International Women’s Day

Snyder, Tabriz, and Moussouris each came to security from a different direction and reshaped the field in their own way. They're far from alone — the community of people building, defending, and improving application security grows wider every year.

To every woman in application security — whether you’re writing YARA rules, architecting zero-trust frameworks, convincing a product team to prioritize a security fix, or mentoring someone just getting started — your work matters. You make the code we all depend on safer and the teams you’re part of sharper.

And to everyone in this field: the stories above are a reminder that great security work comes from everywhere. The best teams are the ones that recognize talent wherever it shows up.