This isn't exactly the list I would have drawn up, and I must be having a bad year, since I'm not on it <g>, but my friend Michael Howard is on the list. You can check it out here:
My personal list would be a bit different, but this one is pretty good. I won't call most of them out here, since most of them tend to avoid publicity, but here's some people to consider:
10-10,000 or so – all those people in the code every day who really get it and strive to deliver secure products, no matter where they work. I've left off a lot of people, but my main point is that the people that matter the most aren't always the most visible, and some of the people that are most visible aren't doing a whole lot to really help users – and that's what matters. There's some that manage to do both.
This brings me back to a thought I had while reading this post to the SDL blog –
It's pretty astonishing how badly they've fouled up something this important, and I agree that the elements of the SDL could have helped, but the really important missing ingredient is people in the trenches that really care about security, and management that sets this as a priority. Without that intangible, you can have all the SDL you want, and it won't matter. With those people who truly have their mind in the game and understand that quality must imply security, the SDL becomes a checklist to make sure you didn't forget anything. It's those people in the code day in and day out who I think have the most influence – and you'll never see most of them in public.