Q&A: Cyber Crime's Chief Investigator

Recruited by Microsoft in the mid-'90s, Schmidt served as the company's first chief security officer and, in April 2001, helped launch the company's Trustworthy Computing initiative before leaving to become CSO of eBay in 2003.

Today, Schmidt is the president and CEO of R&H Security Consulting LLC. RDN Senior Editor Kathleen Richards caught up with Schmidt the week after the RSA Conference to find out where security in a Web 2.0 world is headed.

Here are a few excerpts from the conversation. You can read the entire account here.

RDN: What kind of tools should developers be using?
We have to look across the entire spectrum. We should not be asking our developers to develop software and then throw it over the fence and say, OK, Quality Assurance will find the problems with it. We should be giving the developers the tools right from the very outset to do the software scanning and the source code analysis. And that does two things. One, it helps them develop better code as they discover things through the automated scanning process on the base code itself. But it also, once it gets to Quality Assurance, gives them the ability to focus more on quality stuff, then looking at security things which you can eliminate in the first round.

The second thing, when you look at the compiled binaries and stuff like that, the way those things work, generally we look at the pen test side of the thing. We can't ignore that because that is really one of those things when you put it on the production environment, there may be other linkages somewhere that may create a security flaw in the business process while the code itself is secure.

Then clearly the third level of that is in a Web application, Web 2.0 environments, for example. Now you have the ability not just to pull information down but to interact directly -- this creates a really, really dynamic environment, and even simple things like cross-site scripting and SQL injection have to be tested for, at the end result once things are out in the wild.

You worked at Microsoft for five years and were one of the founders of its Trustworthy Computing Strategies Group. Craig Mundie outlined an "End to End Trust" model at the recent RSA conference. What's your take -- is there something new there?
I don't know that there is something new. I think it is just a continuation of the fact that there is no single point solution in any of these things in any environment. It is not a hardware solution. It is not a software solution. It is not a business process solution. It is not an identity management solution.

Does Microsoft's recent interoperability pledge change the security equation?
It does, and that's one of the things when you start looking at one of the complaints that people had over the years is the inability to write security-related APIs because they didn't know what it was going to do with the other ones. So having access to the APIs, knowing what function calls are out there, knowing how the security that you implement is going to impact that is going to once again take us a step further.

What did you find noteworthy at the recent RSA Security Conference?
As we develop greater dependency on mobile devices, the bad guys will start using unsigned applications on the mobile device to commit the next-gen of cyber crimes and we need to look at it now and build that into the phones that we will start using in the near future.

You can read the rest of this Q&A here.

What were your impressions from the RSA Security conference? And is your organization making any changes to help counter emerging threats? Email me at [email protected].

Posted by Michael Desmond on 04/22/2008