Computerworld - How well would you do in a negotiation with a foreign vendor if the representative didn't speak English and your translator was secretly working for a competitor? How would you ever find out? And how would you investigate, even if you did suspect it? We faced this terrible problem recently, but in our case, the translators were programs, not people.
Our software translates stored data into the business information that we use to make decisions and execute trades. If we can't trust that software, then we can't trust what it's telling us about our data. And if we mistakenly trust that data, we'll lose a lot of money very quickly.
We have to place a lot of trust in the staff that writes our applications. We also do a lot of code testing, but that's mostly aimed at finding errors, not deliberately hidden malicious code. Such embedded code might be leaking data to competitors or adjusting financial reports so that the perpetrator can rip us off without being detected.
Luckily, we have sharp audit teams, we force our development teams to use development tool kits, and we conduct code reviews to make sure there are no surprises in our code's quality.
But what if we can't trust our tool kits? What if, after all the manual review and the checking of our custom code, the tool kit goes ahead and installs malicious code in our applications? That was the question I faced when our antivirus software started shouting about us having a "backdoor" program on key production servers.
Specifically, the virus checker found a Dynamic Link Library (DLL) file on most of our servers that contained the signature of a relatively new backdoor tool.
Could some development staffer have sneaked a back door into our code? We immediately shipped copies of our code to antivirus vendors for analysis. Perhaps this was a false alarm. Or perhaps some code combination was setting off the antivirus alert without actually being malicious.
But our hopes were dashed when the vendors confirmed that the code was a match. The code itself consists of a series of hooks that an attacker could use to hide files from the operating system or to collect passwords by intercepting the calls that legitimately ask for them from users.
At first, the finger of suspicion pointed squarely at the development group. Using the new antivirus signatures, we began sweeping across programmers' desktops. The infected files were everywhere -- even on the release CDs from our tool kit provider. Oh.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
