Expect more legit software to come packaged with flaws

Backdoor threats in software applications will become a more serious threat and increasingly difficult to detect in the future.

That warning came from Chris Wysopal, CTO of application security provider Veracode, at the RSA Conference Europe, being held this week in London.

Such vulnerabilities were often built into applications for legitimate reasons in the past, he said. Developers and support staff found them useful as a way of gaining access to software remotely, for example.

As security standards improve, particularly in resisting penetration, criminals will shift their efforts to introducing backdoor vulnerabilities into legitimate software in order to penetrate an organization's defenses, he said.

With software supply chains becoming globalized and more complex it is increasingly difficult to know that a software application is secure.
 
“How do you know who wrote the code, where it came from?” asked Wysopal.

He said detecting backdoor vulnerabilities can be difficult. Standard techniques of functional testing may not reveal them as they are often designed to evade detection. The alternative is to scan or inspect code for tell-tale signs.

For example, passwords, or a range of IP addresses, email addresses, or unfamiliar commands coded as static variables are often symptoms of a backdoor exploit, he said. Automated scanning tools are available but these are not 100 percent effective, and manual inspection should not be ruled out.

Exploits are also becoming increasingly sophisticated in their planning.

“I know of a bank where the people responsible knew the bank's auditing methodology," he said. "They inserted two pieces of code – the first wasn't picked up – and then activated it with a second."