Backdoors Left in Outsourced Code Present Information Security Risk - Information Security Magazine - Page 1

Reasearch on Coding Backdoors Presents Ugly Picture

Research ups awareness on backdoors that present attackers with a cheaper means of malware distribution and system access.

Intelligence agencies call it SOUP, but it's hardly comfort food.

Spelled out, it's software of unknown provenance (or pedigree), and it can be any off-the-shelf app made for business, government or the military where source code access or even documentation is unavailable. Generally, it's a dish being served by the global development supply chain and the business of outsourcing applications that are developed inexpensively anywhere--especially India and Asia-Pacific.

For the most part, organizations that outsource are saving plenty, doing more with less and meeting other profit margin-related corporate mandates. But once the software is delivered, is it clean code? Or has an unscrupulous developer--perhaps one working for an unfriendly nation--left a backdoor?

Sounds a little hokey and conspiratorial, but former L0pht hacker and Veracode founder Chris Wysopal urges companies not to ignore the threat. Veracode's business is binary code inspection, and at the annual RSA Conference last month, Wysopal presented research on the types of backdoors discovered in proprietary and open source code developed over the last 10 years.

It ain't pretty.

Backdoors are a cheaper attack method,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

especially in high-value environments where well-maintained security exists, Wysopal says.

"Due to the way the development supply chain has gone global, we've lost control over where software is written," Wysopal says. "With outsourcing and the linking in of open source libraries, you need to check for backdoors on critical systems."

This was first published in May 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top