Foreign Software: Security Threat?

Foreign Software: Security Threat?
Foreign Software: Security Threat? 

By Cheryl Gerber
Military Information Technology
Volume: 12  Issue: 2
Feb 28, 2008

Although the global outsourcing of software development and the 
expanding use of commercial software have dropped the price and often 
boosted the quality of software, the practices have also raised the rate 
of malicious code attacks. That has presented a potential national 
security risk that the Department of Defense and a number of companies 
are battling with multiple technologies.

Two reports last year corroborated the nature of the risk and made 
recommendations to mitigate it. In March 2007, the Center for Strategic 
and International Studies (CSIS) issued a report citing malicious code, 
cyber-attacks and espionage as top threats facing the DoD and defense 
industry today, resulting primarily from software developed overseas, 
and to a lesser extent, from the global use of commercial software. The 
report also contended, however, that new software security policies 
ought to focus more on how, rather than where, software is developed.

In September, the report of the Defense Science Board Task Force, 
entitled, Mission Impact of Foreign Influence on DoD Software, came to 
similar conclusions and proposed processes and strategies to reduce the 

Both reports recommended new policies for improving software assurance 
and network integrity. The CSIS report noted that the number of U.S. 
companies outsourcing software development overseas had grown 25 percent 
from 2003 to 2006.

The DSB report warned that the risk of software supply chain exploits 
will escalate as adversaries gain more access through global 
outsourcing. It distinguished between the risks in COTS and higher risks 
of mission-critical custom software, pointing out that while COTS 
development environments are more porous to attack than those of DoD 
custom development environments, subversion of the latter is more likely 
to achieve adversarial objectives.

Hundreds of millions of people look at commercial code, such as Windows, 
whereas critical custom code does not receive the daily scrutiny, does 
not have as many eyeballs on it, rendering it more vulnerable, pointed 
out Dr. Robert Lucky, chairman of the DSB task force that wrote the 

Security software experts agree that when it comes to vetting software, 
the larger the talent pool, the better the result. You want to make 
algorithms public because they cant be trusted unless they are, and you 
get enormous benefit from the public attacking it, said Dan Geer, chief 
scientist and vice president of Verdasys, a security software firm.

Concurrently, opponents wielding malicious code have grown more 
sophisticated. This is no longer hobbyists doing it for fun and games. 
Its playing for keeps. The skill level is increasing. Now its a job paid 
for out of revenue, said Geer. Instead of trying to put a mole in the 
CIA, they try to put a mole in software.

As such, cyber-attacks are now more devious and focused. Theyre getting 
good enough at it that they now favor stealth over persistence. Many 
attacks are now targetednot blanketed, shot-in-the-dark viruses, said 


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods