Homeland Security Backdoor Behaviour
Recent research from the US Department of Homeland Security points to a “significant” risk from backdoors and 23% of software packages used by US government employees have backdoors built into them – or so I’m told. Taken out of context this statement may be misleading (as far as I know, it may even be unfairly “massaged” statistics) as a huge proportion of the total Homeland Security installed base of IT is almost certainly well behind locked doors – much bigger, stronger locked doors than any backdoor hacker could access.
However, it is a statistic that security companies are fond of using when highlighting the potential security flaws thrown up by backdoor entry possibilities – and automated testing for backdoor entry into software systems is certainly a current must-have in the top ten tricks for any security vendor worth their salt.
Here’s another thing - as the complexity of modern software applications increases, with components assembled from reusable binary components, backdoors can easily circumvent even the best of QA cycles. Then there’s the aspect of outsourcing and the increasing use of third party libraries. More backdoors – yup, for sure.
I’ve been in touch with a company in Boston on this subject called Veracode (who specialise in on demand pay-as-you-go application security testing services) and here’s what their CEO Matt Moynahan has to say on the subject. “We expect backdoors and malicious code insertion to become an increasingly prevalent attack vector against the enterprise. Because the binary (compiled code) represents the actual attack surface for the hacker, testing the application binaries is the most accurate and complete way to conduct final, independent security validation and verification.”
Interestingly, Moynahan’s company has developed what is says is the first comprehensive taxonomy of backdoors so that application developers can better understand and detect these hidden threats. Where readers might direct their thoughts from here is the difference between backdoor detection in open source software environments vs. their ‘closed source’ cousins. We might generalise here and say that open source detection will always be a lot faster – but it makes you think about how much might be going undetected doesn’t it?