Backdoor threats in software
applications will become an ever more serious threat and increasingly
difficult to detect in future, warned Chris Wysopal, CTO of Veracode.
Such vulnerabilities were often built
into applications for legitimate reasons in the past, he said.
Developers and support staff found them useful as a way of gaining
access to software remotely, for example.
As security standards improve,
particularly in resisting penetration, criminals will shift their
efforts to introducing backdoor vulnerabilities into legitimate
software in order to penetrate an organisation's defences, he said.
With software supply chains becoming
globalised and more complex it is increasingly difficult to know that
a software application is secure. “How do you know who wrote the
code, where it came from?” said Wysopal.
Detecting backdoor vulnerabilities can
be difficult, he warned. Standard techniques of functional testing
may not reveal them as they are often designed to evade detection.
The alternative is to scan or inspect code for tell-tale signs.
For example, passwords, or a range of
IP addresses, email addresses, or unfamiliar commands coded as static
variables are often symptoms of a backdoor exploit, he said.
Automated scanning tools are available but these are not 100 percent
effective, and manual inspection should not be ruled out, he
suggested.
Exploits are also becoming increasingly
sophisticated in their planning. “I know of a bank where the people
responsible knew the bank's auditing methodology. They inserted two
pieces of code – the first wasn't picked up – and then activated
it with a second,” he said.
Web 2.0 technologies open up new
opportunities for criminals. The growth of script-based applications
mean that criminals will aim to insert malicious code into trusted
websites, aiming to exploit vulnerabilities in client software such
as web browsers and media players, he said. “Where trusted software
was once a target, we're now looking at trusted websites,” he said.