Problem solve Get help with specific problems with your technologies, process and projects.

Thwarting the ultimate inside job: Malware introduced in the software development process

Ed Skoudis offers tips for securing the software development process.

If you develop any code in house, a malicious software developer, tester or intruder could squeeze a backdoor into your source code during the development process, jeopardizing your entire product and all of its users. To minimize this threat, perform diligent quality control of your software development and testing process using these tips.

1. Make sure developers are required to authenticate to a version control system using difficult-to-guess passwords or hardware tokens before checking out code to work on or submitting code that they've finished. Utilize version control software that can create a digital signature or integrity hash of all code so you can more quickly spot any illicit changes.

2. Ensure that there's a division of responsibilities and organizational reporting between code developers and software testers. In the testing process, thoroughly employ good, old fashion quality review for in-house developed code, looking for bugs such as buffer overflows and format string flaws that are prevalent today.

For more info on this topic, visit these resources:
  • Infosec Bookshelf: Exploiting Software -- How to Break Code: Chapter 7 -- Buffer Overflow
  • Tip: An indictment for applications development
  • Tip: Secure coding? Absolutely!

    3. Make sure software developers understand what buffer overflows are and how to avoid them. A subtle flaw that could let an attacker take over a system is really the functional equivalent of a backdoor. Evil developers who purposely plant such flaws have plausible deniability, possibly claiming that the flaws were mere mistakes. Work to squash such problems by making sure that at least one other set of eyes besides the developer's reviews all code before it moves on to testing.

    4. Make sure your software testing consists of black-box analysis to verify that software meets your security requirements. The software quality assurance process should also include crystal-box analysis, where skilled software personnel review the source code. They should look for any extra, unexpected logic branches associated with user input, which could be a sign of a backdoor planted during the development process.

    5. Take the time to perform background checks of software developers and testers.

    6. Emphasize the need for security training among software testers. In some organizations, testers are considered the lowest level on the software development totem pole. Discourage this mindset! Remember, quality control is only as good and trustworthy as testers.

    About the author
    Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

  • This was last published in March 2004

    Dig Deeper on Secure software development

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.