If you develop any code in house, a malicious software developer, tester or intruder could squeeze a backdoor into your source code during the development process, jeopardizing your entire product and all of its users. To minimize this threat, perform diligent quality control of your software development and testing process using these tips.
1. Make sure developers are required to authenticate to a version control system using difficult-to-guess passwords or hardware tokens before checking out code to work on or submitting code that they've finished. Utilize version control software that can create a digital signature or integrity hash of all code so you can more quickly spot any illicit changes.
2. Ensure that there's a division of responsibilities and organizational reporting between code developers and software testers. In the testing process, thoroughly employ good, old fashion quality review for in-house developed code, looking for bugs such as buffer overflows and format string flaws that are prevalent today.
For more info on this topic, visit these SearchSecurity.com resources:
- Exploiting Software -- How to Break Code: Chapter 7 -- Buffer Overflow
- Tip: An indictment for applications development
- Tip: Secure coding? Absolutely!
3. Make sure software developers understand what buffer overflows are and how to avoid them. A subtle flaw that could let an attacker take over a system is really the functional equivalent of a backdoor. Evil developers who purposely plant such flaws have plausible deniability, possibly claiming that the flaws were mere mistakes. Work to squash such problems by making sure that at least one other set of eyes besides the developer's reviews all code before it moves on to testing.
4. Make sure your software testing consists of black-box analysis to verify that software meets your security requirements. The software quality assurance process should also include crystal-box analysis, where skilled software personnel review the source code. They should look for any extra, unexpected logic branches associated with user input, which could be a sign of a backdoor planted during the development process.
5. Take the time to perform background checks of software developers and testers.
6. Emphasize the need for security training among software testers. In some organizations, testers are considered the lowest level on the software development totem pole. Discourage this mindset! Remember, quality control is only as good and trustworthy as testers.
About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.
This was first published in March 2004