Backdoor threats in software applications will become an ever more serious threat and increasingly difficult to detect in future, warned Chris Wysopal, CTO of Veracode.
Such vulnerabilities were often built into applications for legitimate reasons in the past, he said. Developers and support staff found them useful as a way of gaining access to software remotely, for example.
As security standards improve, particularly in resisting penetration, criminals will shift their efforts to introducing backdoor vulnerabilities into legitimate software in order to penetrate an organisation's defences, he said.
With software supply chains becoming globalised and more complex it is increasingly difficult to know that a software application is secure. “How do you know who wrote the code, where it came from?” said Wysopal.
Detecting backdoor vulnerabilities can be difficult, he warned. Standard techniques of functional testing may not reveal them as they are often designed to evade detection. The alternative is to scan or inspect code for tell-tale signs.
For example, passwords, or a range of IP addresses, email addresses, or unfamiliar commands coded as static variables are often symptoms of a backdoor exploit, he said. Automated scanning tools are available but these are not 100 percent effective, and manual inspection should not be ruled out, he suggested.
Exploits are also becoming increasingly sophisticated in their planning. “I know of a bank where the people responsible knew the bank's auditing methodology. They inserted two pieces of code – the first wasn't picked up – and then activated it with a second,” he said.
Web 2.0 technologies open up new opportunities for criminals. The growth of script-based applications mean that criminals will aim to insert malicious code into trusted websites, aiming to exploit vulnerabilities in client software such as web browsers and media players, he said. “Where trusted software was once a target, we're now looking at trusted websites,” he said.