This article can also be found in the Premium Editorial Download "Information Security magazine: Seven questions to ask before committing to SaaS."
Download it now to read this article plus other related content.
Research ups awareness on backdoors that present attackers with a cheaper means of malware distribution and system access.
Intelligence agencies call it SOUP, but it's hardly comfort food.
Spelled out, it's software of unknown provenance (or pedigree), and it can be any off-the-shelf app made for business, government or the military where source code access or even documentation is unavailable. Generally, it's a dish being served by the global development supply chain and the business of outsourcing applications that are developed inexpensively anywhere--especially India and Asia-Pacific.
For the most part, organizations that outsource are saving plenty, doing more with less and meeting other profit margin-related corporate mandates. But once the software is delivered, is it clean code? Or has an unscrupulous developer--perhaps one working for an unfriendly nation--left a backdoor?
Sounds a little hokey and conspiratorial, but former L0pht hacker and Veracode founder Chris Wysopal urges companies not to ignore the threat. Veracode's business is binary code inspection, and at the annual RSA Conference last month, Wysopal presented research on the types of backdoors discovered in proprietary and open source code developed over the last 10 years.
It ain't pretty.
Backdoors are a cheaper attack method,
| especially in high-value environments where well-maintained security exists, Wysopal says.
"Due to the way the development supply chain has gone global, we've lost control over where software is written," Wysopal says. "With outsourcing and the linking in of open source libraries, you need to check for backdoors on critical systems."
This was first published in May 2008