http://www.military-information-technology.com/article.cfm?DocID=2354 By Cheryl Gerber Military Information Technology Volume: 12 Issue: 2 Feb 28, 2008 Although the global outsourcing of software development and the expanding use of commercial software have dropped the price and often boosted the quality of software, the practices have also raised the rate of malicious code attacks. That has presented a potential national security risk that the Department of Defense and a number of companies are battling with multiple technologies. Two reports last year corroborated the nature of the risk and made recommendations to mitigate it. In March 2007, the Center for Strategic and International Studies (CSIS) issued a report citing malicious code, cyber-attacks and espionage as top threats facing the DoD and defense industry today, resulting primarily from software developed overseas, and to a lesser extent, from the global use of commercial software. The report also contended, however, that new software security policies ought to focus more on how, rather than where, software is developed. In September, the report of the Defense Science Board Task Force, entitled, Mission Impact of Foreign Influence on DoD Software, came to similar conclusions and proposed processes and strategies to reduce the risk. Both reports recommended new policies for improving software assurance and network integrity. The CSIS report noted that the number of U.S. companies outsourcing software development overseas had grown 25 percent from 2003 to 2006. The DSB report warned that the risk of software supply chain exploits will escalate as adversaries gain more access through global outsourcing. It distinguished between the risks in COTS and higher risks of mission-critical custom software, pointing out that while COTS development environments are more porous to attack than those of DoD custom development environments, subversion of the latter is more likely to achieve adversarial objectives. Hundreds of millions of people look at commercial code, such as Windows, whereas critical custom code does not receive the daily scrutiny, does not have as many eyeballs on it, rendering it more vulnerable, pointed out Dr. Robert Lucky, chairman of the DSB task force that wrote the report. Security software experts agree that when it comes to vetting software, the larger the talent pool, the better the result. You want to make algorithms public because they cant be trusted unless they are, and you get enormous benefit from the public attacking it, said Dan Geer, chief scientist and vice president of Verdasys, a security software firm. Concurrently, opponents wielding malicious code have grown more sophisticated. This is no longer hobbyists doing it for fun and games. Its playing for keeps. The skill level is increasing. Now its a job paid for out of revenue, said Geer. Instead of trying to put a mole in the CIA, they try to put a mole in software. As such, cyber-attacks are now more devious and focused. Theyre getting good enough at it that they now favor stealth over persistence. Many attacks are now targetednot blanketed, shot-in-the-dark viruses, said Geer. [...] ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Mar 02 2008 - 22:11:11 PST