For Marc Maiffret, the turning point in his life came when--at the age of 17--he woke up to an FBI agent pointing a gun at his head.

A runaway and high school dropout, he had just returned home and landed his first professional job using his computer skills for the good of companies instead of for mischief. But his past was still catching up to his present.

Young, articulate, and outspoken, Maiffret went on to become a celebrity hacker wunderkind, testifying before Congress on security issues, featured in cover stories in numerous magazines and newspapers, appearing in MTV's "True Life: I'm a Hacker," and being named one of People Magazine's 30 People Under 30.

As a co-founder of eEye Digital Security, the street-savvy, brash teen quickly became a thorn in the side of software giant Microsoft, finding vulnerabilities in its products, including the hole that the Code Red worm used to wriggle its way onto thousands of servers in 2001.

Today, at 29, the boyish-looking Maiffret is still causing trouble--the good kind. He joined anti-malware firm FireEye in mid-December as chief security architect. In a recent interview with CNET, Maiffret talked about growing up fast and how he stays ahead of the game.

Q: What are you up to?
Maiffret: I'm chief security architect at FireEye and I focus on improving our product's ability to detect threats. I'm also managing FireEye's research team and I have various speaking engagements.

Where were you before FireEye?
Maiffret: I was with The DigiTrust Group, which is managed security services company targeting small to medium-sized businesses, taking over their Windows desktop security.

When did you start eEye?
Maiffret: I started it when I was 17--co-founded it with my friend Firas Bushnaq and did that for about 10 years or so.

At eEye you caused quite a stir over at Microsoft. Tell me about that.
Maiffret: Yeah. First and foremost, we were building a vulnerability assessment product that could scan your company network and tell you here's all the ways a hacker could break in and here's how to fix it. I was focused on Windows and Microsoft platforms in the beginning. I had been interested in vulnerability research since 1997and more serious stuff in 1998 and 1999. I started to discover some of the more critical remote Microsoft vulnerabilities where you could compromise any Microsoft Web server. That kicked off some of the first real intense looks at Microsoft from a security perspective.

How would you characterize the state of security at Microsoft products at the time?
Maiffret: At that time they didn't even have a dedicated security team. One guy acted as a liaison between marketing and engineering and they treated it very much as a marketing problem, not as a technical problem and not one they needed to focus on addressing. Their attitude was, "if we can keep evil research guys quiet no one will talk about it and we won't have to be distracted trying fix these things." We were not OK with that. We were outspoken, which was unique for a business with tens of millions of dollars in revenue.

Most businesses bite their tongue, because it's not beneficial to speak out against the largest software company in the world. But if you truly cared about improving the world's security you had to do things for the IT community and not just worry about selling products. We did that by holding Microsoft's feet to the fire and holding them accountable for what they were doing wrong.

It started to shift away from being a marketing nuisance and started mattering to them as a company when Bill Gates released his Trustworthy Computing memo [in January 2002]. He stated this was the No. 1 objective of the company, to have the software become secure to the point where people actually trust it. There was a lack of faith in Microsoft and security, especially after all the computer worms like Code Red and Slammer. Banks were talking to Microsoft about switching. Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say.

Are they the model that other companies are following?
Maiffret: From an internal process in how they go about auditing their code and securing software from a technical perspective, they do have one of the best models. The area they still have room for improvement is around time lines of how long it takes for them to fix things. We see time and time again when somebody responsibly reports a security problem to Microsoft it takes many, many months, if not upwards of a year, to get these things resolved. Should there be some new zero day critical emergency, we see they are able to get something out within a couple of weeks. You look at companies like Adobe and they are where Microsoft was 10 years ago.

Read more here