Neil Smithline: Founder and Senior Security Consultant

Mr. Smithline, has spent the past 10 years of his work in the software industry focusing on all aspects of application security. He was the senior security architect for BEA Systems, which, before being bought by Oracle, was the third largest software company in the world. In this role, Mr. Smithline interacted with hundreds of BEA customers, learning what their security needs were, helping them design secure frameworks, and generalizing clever customer solutions into new security features in the BEA security framework. Mr. Smithline has worked with as small as start-up companies that had not yet begun to code to many of the world's largest companies¹ including 20 of the top 40 companies on the Forbes Global 2000 list². While working with these companies, Mr. Smithline worked with a vast array of standards and regulations. Some of the more notable ones include HIPAA, Sarbanes-Oxley, Common Criteria, German and Swiss banking laws, and requirements for classified work in many US government agencies'.

Besides interacting with customers, Mr. Smithline's role of senior security architect also included leading efforts to produce and implement secure coding standards for all products within BEA, performing company-wide security assessments, training BEA engineers on secure coding and testing strategies, and managing the "Red Team." The Red Team, which was responsible for handling of every potential security issue found in BEA products, was created from the ground-up by Mr. Smithline who became its lead shortly after BEA had released its first advisory. Managing appropriate processes for the Red Team was a never-ending challenge due to the fact that the team had to evolve as BEA itself evolved.

Throughout his security work, Mr. Smithline has recognized that there is no one-size-fits-all solution to security. Security and the processes that go with it must be in alignment with the project's and company's business model, organization, competitive landscape, marketing strategy, and applicable laws and regulations. For example, the security standards developed for BEA Systems had to include projects as diverse as a 1.0 limited release product to a few key customers for internal-only deployment and testing to telephone company (telco) server software that required reliability to four or five nines.

1) In order to respect the confidentiality of BEA and its customers, I have omitted all company names and instead used generalized descriptions. Swivel.com was kind enough to allow me to use them as a reference.

2) "The Global 2000" list is from Forbes' 2007 Global 2000 List. Being that my communications with BEA customers happened while I was employed at BEA, any records of those communications belong to BEA and not to me. Unfortunately no specifics can be provided about these customers.