Desmond File

Blog archive

Q&A: Cyber Crime's Chief Investigator

Howard A. Schmidt has forgotten more about network and systems security than I will probably ever know. A pioneer in the area of computer forensics, he served for more than 30 years as an information security advisor to the FBI, the U.S. Air Force and the Bush administration after Sept. 11, 2001.

Recruited by Microsoft in the mid-'90s, Schmidt served as the company's first chief security officer and, in April 2001, helped launch the company's Trustworthy Computing initiative before leaving to become CSO of eBay in 2003.

Today, Schmidt is the president and CEO of R&H Security Consulting LLC. RDN Senior Editor Kathleen Richards caught up with Schmidt the week after the RSA Conference to find out where security in a Web 2.0 world is headed.

Here are a few excerpts from the conversation. You can read the entire account here.

RDN: What kind of tools should developers be using?
We have to look across the entire spectrum. We should not be asking our developers to develop software and then throw it over the fence and say, OK, Quality Assurance will find the problems with it. We should be giving the developers the tools right from the very outset to do the software scanning and the source code analysis. And that does two things. One, it helps them develop better code as they discover things through the automated scanning process on the base code itself. But it also, once it gets to Quality Assurance, gives them the ability to focus more on quality stuff, then looking at security things which you can eliminate in the first round.

The second thing, when you look at the compiled binaries and stuff like that, the way those things work, generally we look at the pen test side of the thing. We can't ignore that because that is really one of those things when you put it on the production environment, there may be other linkages somewhere that may create a security flaw in the business process while the code itself is secure.

Then clearly the third level of that is in a Web application, Web 2.0 environments, for example. Now you have the ability not just to pull information down but to interact directly -- this creates a really, really dynamic environment, and even simple things like cross-site scripting and SQL injection have to be tested for, at the end result once things are out in the wild.

You worked at Microsoft for five years and were one of the founders of its Trustworthy Computing Strategies Group. Craig Mundie outlined an "End to End Trust" model at the recent RSA conference. What's your take -- is there something new there?
I don't know that there is something new. I think it is just a continuation of the fact that there is no single point solution in any of these things in any environment. It is not a hardware solution. It is not a software solution. It is not a business process solution. It is not an identity management solution.

Does Microsoft's recent interoperability pledge change the security equation?
It does, and that's one of the things when you start looking at one of the complaints that people had over the years is the inability to write security-related APIs because they didn't know what it was going to do with the other ones. So having access to the APIs, knowing what function calls are out there, knowing how the security that you implement is going to impact that is going to once again take us a step further.

What did you find noteworthy at the recent RSA Security Conference?
As we develop greater dependency on mobile devices, the bad guys will start using unsigned applications on the mobile device to commit the next-gen of cyber crimes and we need to look at it now and build that into the phones that we will start using in the near future.

You can read the rest of this Q&A here.

What were your impressions from the RSA Security conference? And is your organization making any changes to help counter emerging threats? Email me at [email protected].

Posted by Michael Desmond on 04/22/2008


comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Subscribe on YouTube