[ISN] Auditors warn of foreign risks to weapons software

From: InfoSec News (isn@private)
Date: Wed May 26 2004 - 00:30:08 PDT

  • Next message: InfoSec News: "[ISN] MS UK 0wn3d by hackers. Again"

    http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp
    
    By Matthew French 
    May 25, 2004
    
    The Defense Department's control of the source of weapons software
    came under fire today in a report issued by the General Accounting
    Office, which said overseas production of software creates an
    unacceptable security environment.
    
    "DOD acquisition and software security policies do not fully address
    the risk of using foreign suppliers to develop weapon system
    software," auditors wrote in the report. "The current acquisition
    guidance allows program officials discretion in managing foreign
    involvement in software development, without requiring them to
    identify and mitigate such risks. Moreover, other policies intended to
    mitigate information system vulnerabilities focus mostly on
    operational software security threats, such as external hacking and
    unauthorized access to information systems, but not on insider
    threats, such as the insertion of malicious code by software
    developers."
    
    The report said military officials recently adopted initiatives that
    could curb the threat, but they have not yet implemented the
    initiatives throughout the department.
    
    Auditors cited weapons development as a particular concern, given the
    potential ramifications should an enemy infect software with a
    malicious code or a Trojan horse, the report said.
    
    "Unless program officials provide specific guidance, contractors may
    favor business considerations over potential software development
    security risks associated with using foreign suppliers."
    
    As the amount of software on weapon systems increases, it becomes more
    difficult and more costly to test every line of code. Although DOD has
    several software tests through which an application must pass, the
    possibility that stray code can pass through is always a concern.
    
    "The program manager must know more about who is developing software
    and where early in the software acquisition process, so that it can be
    included as part of software source selection and risk mitigation
    decisions," the report said.
    
    Outsourcing software development has been a hot-button topic for more
    than five years, as vendors are forced to balance the cost savings
    with the potential security risks. A section in the House version of
    the 2005 Defense authorization bill offers up to $50 million in grants
    to DOD contractors to develop strategies to avoid outsourcing jobs,
    including technology development.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Wed May 26 2004 - 04:18:10 PDT