Thwarting the ultimate inside job: Malware introduced in the software development process

3. Make sure software developers understand what buffer overflows are and how to avoid them. A subtle flaw that could let an attacker take over a system is really the functional equivalent of a backdoor. Evil developers who purposely plant such flaws have plausible deniability, possibly claiming that the flaws were mere mistakes. Work to squash such problems by making sure that at least one other set of eyes besides the developer's reviews all code before it moves on to testing.

4. Make sure your software testing consists of black-box analysis to verify that software meets your security requirements. The software quality assurance process should also include crystal-box analysis, where skilled software personnel review the source code. They should look for any extra, unexpected logic branches associated with user input, which could be a sign of a backdoor planted during the development process.

5. Take the time to perform background checks of software developers and testers.

6. Emphasize the need for security training among software testers. In some organizations, testers are considered the lowest level on the software development totem pole. Discourage this mindset! Remember, quality control is only as good and trustworthy as testers.

About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor How to prevent clickjacking attacks with security policy, not technology How to stop malware in a 'Flash' How to detect system management mode (SMM) rootkits Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Secure Software Development Adobe hopes to speed patch releases with more transparency Microsoft updates code analysis tool, SQL injection XSS library Poor development practices lead to continued security problems How can quality assurance tools aid software development? Metaforic crosses swords with software pirates How can gap analysis be applied to the security system development life cycle? Microsoft opens up secure development program Mozilla's Snyder says security pros should press vendors on security Vista functionality still wins over security Mozilla to release Firefox threat-modeling data RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.