Desmond File

Blog archive

Q&A: Cyber Crime's Chief Investigator

Howard A. Schmidt has forgotten more about network and systems security than I will probably ever know. A pioneer in the area of computer forensics, he served for more than 30 years as an information security advisor to the FBI, the U.S. Air Force and the Bush administration after Sept. 11, 2001.

Recruited by Microsoft in the mid-'90s, Schmidt served as the company's first chief security officer and, in April 2001, helped launch the company's Trustworthy Computing initiative before leaving to become CSO of eBay in 2003.

Today, Schmidt is the president and CEO of R&H Security Consulting LLC. RDN Senior Editor Kathleen Richards caught up with Schmidt the week after the RSA Conference to find out where security in a Web 2.0 world is headed.

Here are a few excerpts from the conversation. You can read the entire account here.

RDN: What kind of tools should developers be using?
We have to look across the entire spectrum. We should not be asking our developers to develop software and then throw it over the fence and say, OK, Quality Assurance will find the problems with it. We should be giving the developers the tools right from the very outset to do the software scanning and the source code analysis. And that does two things. One, it helps them develop better code as they discover things through the automated scanning process on the base code itself. But it also, once it gets to Quality Assurance, gives them the ability to focus more on quality stuff, then looking at security things which you can eliminate in the first round.

The second thing, when you look at the compiled binaries and stuff like that, the way those things work, generally we look at the pen test side of the thing. We can't ignore that because that is really one of those things when you put it on the production environment, there may be other linkages somewhere that may create a security flaw in the business process while the code itself is secure.

Then clearly the third level of that is in a Web application, Web 2.0 environments, for example. Now you have the ability not just to pull information down but to interact directly -- this creates a really, really dynamic environment, and even simple things like cross-site scripting and SQL injection have to be tested for, at the end result once things are out in the wild.

You worked at Microsoft for five years and were one of the founders of its Trustworthy Computing Strategies Group. Craig Mundie outlined an "End to End Trust" model at the recent RSA conference. What's your take -- is there something new there?
I don't know that there is something new. I think it is just a continuation of the fact that there is no single point solution in any of these things in any environment. It is not a hardware solution. It is not a software solution. It is not a business process solution. It is not an identity management solution.

Does Microsoft's recent interoperability pledge change the security equation?
It does, and that's one of the things when you start looking at one of the complaints that people had over the years is the inability to write security-related APIs because they didn't know what it was going to do with the other ones. So having access to the APIs, knowing what function calls are out there, knowing how the security that you implement is going to impact that is going to once again take us a step further.

What did you find noteworthy at the recent RSA Security Conference?
As we develop greater dependency on mobile devices, the bad guys will start using unsigned applications on the mobile device to commit the next-gen of cyber crimes and we need to look at it now and build that into the phones that we will start using in the near future.

You can read the rest of this Q&A here.

What were your impressions from the RSA Security conference? And is your organization making any changes to help counter emerging threats? Email me at [email protected].

Posted by Michael Desmond on 04/22/2008 at 1:15 PM


comments powered by Disqus

Featured

  • ML.NET Improves Object Detection

    Microsoft improved the object detection capabilities of its ML.NET machine learning framework for .NET developers, adding the ability to train custom models with Model Builder in Visual Studio.

  • More Improvements for VS Code's New Python Language Server

    Microsoft announced more improvements for the new Python language server for Visual Studio Code, Pylance, specializing in rich type information.

  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

Upcoming Events