Application Backdoors
We're always watching how security threats will morph into the next generation threat that gets by this generation's countermeasures. An interesting interview with Chris Wysopal of Veracode has been posted at CSO on application backdoors. The idea is that people with access to code have the ability to slip in malicious code which allows them to carry out unauthorized activities on the system. We have to trust developers, just like DBAs with databases, but Wysopal argues we need to monitor code for more than just common programming errors.
the one we were focused on is the application backdoor. This is when the software is being developed legitimately, but someone has subverted the development process and has modified that legitimate application with code that is not supposed to be there. All of our research focused on this last category. Our thesis is you can’t just look for standard vulnerabilities, which are essentially developer mistakes. You have to look for other risks that are intentionally put in code or sometimes put in but meant to be removed before production. Some backdoors are planted maliciously and developers hope they make it into production, while others are accidents. They aren’t meant to go into the final code.
Wysopal notes that data on application backdoors is only as good as our detection methods and they are still maturing. He also notes that back doors in open source have relatively short life spans because so many people are looking at the code. It makes me wonder how many business have the time and resources to dedicate to the kind of code reviews that would catch backdoors in custom developed code.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
