RE: [ISN] Auditors warn of foreign risks to weapons software

From: InfoSec News (isn@private)
Date: Fri May 28 2004 - 05:40:08 PDT

Next message: InfoSec News: "[ISN] Security UPDATE--A Long Way from Junk-Free Inboxes--May 26, 2004"

Previous message: InfoSec News: "[ISN] MS UK 0wn3d by hackers. Again"
Maybe in reply to: InfoSec News: "[ISN] Auditors warn of foreign risks to weapons software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fowarded from: Technical Security Division - Lab <secureoffice@private>

This doesn't surprise me at all. Having worked for a European
Software/Hardware company who shall remain anonymous, on several
occasions the software team under went audits from the project
managers of some of the contracts we were working on.

Most of the coding was done by our engineering office in China whom I
dealt with on a daily basis and who provided the final builds, however
we were emphatically ordered by our management not to mention the
China office or the fact that they did any of our software.

Even in the company phone book the office was called the Quality
Assurance Team.

Some of clients included US DOD departments.

Need I say more!


-----Original Message-----
From: isn-bounces@private [mailto:isn-bounces@private] On Behalf
Of InfoSec News
Sent: 26 May 2004 08:30
To: isn@private
Subject: [ISN] Auditors warn of foreign risks to weapons software 

http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp

By Matthew French
May 25, 2004

The Defense Department's control of the source of weapons software came
under fire today in a report issued by the General Accounting Office, which
said overseas production of software creates an unacceptable security
environment.

"DOD acquisition and software security policies do not fully address the
risk of using foreign suppliers to develop weapon system software," auditors
wrote in the report. "The current acquisition guidance allows program
officials discretion in managing foreign involvement in software
development, without requiring them to identify and mitigate such risks.
Moreover, other policies intended to mitigate information system
vulnerabilities focus mostly on operational software security threats, such
as external hacking and unauthorized access to information systems, but not
on insider threats, such as the insertion of malicious code by software
developers."

The report said military officials recently adopted initiatives that could
curb the threat, but they have not yet implemented the initiatives
throughout the department.

Auditors cited weapons development as a particular concern, given the
potential ramifications should an enemy infect software with a malicious
code or a Trojan horse, the report said.

[...]



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org

Next message: InfoSec News: "[ISN] Security UPDATE--A Long Way from Junk-Free Inboxes--May 26, 2004"
Previous message: InfoSec News: "[ISN] MS UK 0wn3d by hackers. Again"
Maybe in reply to: InfoSec News: "[ISN] Auditors warn of foreign risks to weapons software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 28 2004 - 06:28:50 PDT