Continuing the coverage on the U.S government's overall paranoia of using outsourced software on DoD computers, even hardware -- firmware infections are still in a spy's arsenal only -- in a recent move by the Defense CIO office a tiger team has been officially assigned to audit the software and look for potential backdoors :
"The Pentagon is fielding a task force charged with testing software developed overseas, according to a Defense Department official. The “tiger team,” organized within the Defense CIO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy director for software engineering and systems assurance in the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics. Baldwin spoke yesterday at the DHS-DOD Software Assurance Forum in Fairfax, Va. “Tiger team” is a software-industry term for a group that conducts penetration testing to assess software security. “Success means they understand where their focus needs to be and how to prioritize their efforts,” Baldwin said. “They understand the supply-chain impact on systems engineering, and are ready to move forward in an effort to mitigate assurance risk.”"
There's another perspective you should keep in mind. Looking for backdoors is shortsighted, as the software may come vulnerabilities-ready, so prioritizing whether it's vulnerabilities or actualy backdoors to look for will prove tricky. The use of automated source code auditing may prove valuable as well, but taking into consideration the big picture, if you were to track the vulnerabilities that could act as backdoors in U.S coded software -- taking Windows for instance -- compared to that of foreign software, you'll end up with rather predictable results.
The bottom line, does shipping an insecure software has to do with source code vulnerabilities, or should the threat be perceived in relation to backdoor-shipped software? The true ghost in the shell however remain the yet undiscovered vulnerabilities in the software acting as vectors for installing backdoors, not the softwared itself shipped backdoor-ready. Meanwhile, are stories like these a violation of OPSEC by themselves? I think they are.
No comments:
Post a Comment