Q&A: Cyber Crime's Chief Investigator
Howard A. Schmidt has forgotten more about network and systems security than
I will probably ever know. A pioneer in the area of computer forensics, he served
for more than 30 years as an information security advisor to the FBI, the U.S.
Air Force and the Bush administration after Sept. 11, 2001.
Recruited by Microsoft in the mid-'90s, Schmidt served as the company's
first chief security officer and, in April 2001, helped launch the company's
Trustworthy Computing initiative before leaving to become CSO of eBay in 2003.
Today, Schmidt is the president and CEO of R&H Security Consulting LLC.
RDN Senior Editor Kathleen Richards caught up with Schmidt the week after the
RSA Conference to find out where security in a Web 2.0 world is headed.
Here are a few excerpts from the conversation. You can read the entire account
RDN: What kind of tools should developers be using?
We have to look across the entire spectrum. We should not be asking our developers
to develop software and then throw it over the fence and say, OK, Quality Assurance
will find the problems with it. We should be giving the developers the tools
right from the very outset to do the software scanning and the source code analysis.
And that does two things. One, it helps them develop better code as they discover
things through the automated scanning process on the base code itself. But it
also, once it gets to Quality Assurance, gives them the ability to focus more
on quality stuff, then looking at security things which you can eliminate in
the first round.
The second thing, when you look at the compiled binaries and stuff like that,
the way those things work, generally we look at the pen test side of the thing.
We can't ignore that because that is really one of those things when you
put it on the production environment, there may be other linkages somewhere
that may create a security flaw in the business process while the code itself
Then clearly the third level of that is in a Web application, Web 2.0 environments,
for example. Now you have the ability not just to pull information down but
to interact directly -- this creates a really, really dynamic environment, and
even simple things like cross-site scripting and SQL injection have to be tested
for, at the end result once things are out in the wild.
You worked at Microsoft for five years and were one of the founders of
its Trustworthy Computing Strategies Group. Craig Mundie outlined
an "End to End Trust" model at the recent RSA conference. What's your take
-- is there something new there?
I don't know that there is something new. I think it is just a continuation
of the fact that there is no single point solution in any of these things in
any environment. It is not a hardware solution. It is not a software solution.
It is not a business process solution. It is not an identity management solution.
Does Microsoft's recent interoperability
pledge change the security equation?
It does, and that's one of the things when you start looking at one of the complaints
that people had over the years is the inability to write security-related APIs
because they didn't know what it was going to do with the other ones. So having
access to the APIs, knowing what function calls are out there, knowing how the
security that you implement is going to impact that is going to once again take
us a step further.
What did you find noteworthy at the recent RSA Security Conference?
As we develop greater dependency on mobile devices, the bad guys will start
using unsigned applications on the mobile device to commit the next-gen of cyber
crimes and we need to look at it now and build that into the phones that we
will start using in the near future.
You can read the rest of this Q&A here.
What were your impressions from the RSA Security conference? And is your organization
making any changes to help counter emerging threats? Email me at email@example.com.
Posted by Michael Desmond on 04/22/2008 at 1:15 PM