Home » Data Protection » Application Security

Application Security: Is the Backdoor Threat the Next Big Threat to Applications?

December 18, 2007 — CSO — Risk rarely disappears; it migrates. Thus improvements in spam filters don’t reduce spam, but force it to move somewhere else--to images, or MP3s or PDF files. The same holds true for information security vulnerabilities in general, but figuring out where the risk will move, and how, is trickier. Chris Wysopal, security researcher who is now with a vendor called Veracode, believes he’s caught one of those migrations in progress. As detection and scanning technology gets better at finding the accidental coding errors like buffer overflows, Wysopal believes the malicious will turn more and more to using backdoors--holes in programs usually intentionally programmed in to allow access to an application.

It wasn’t actually really his idea. "We had many CSOs and security folks asking us if we could scan for backdoors," says Wysopal. "We didn’t have scans at the time. So I just started looking around. I went to papers, mailing lists, just looking for anything I could find. It turns out there was very little real academic research on backdoors. A lot of government work would say, ’Step one, look for backdoors,’ but it never said how, or what to look for. I decided this research needed to happen.”

And that’s what Wysopal’s been up to--building up some basic research and a taxonomy of backdoors. CSO caught up with Wysopal to see how that research is going, what he’s discovered about backdoors in open source versus closed source software, and why we should assume backdoors are being planted in software.

CSO: First, let’s define what we’re talking about here. When you use the term "backdoor," what do you mean?

Chris Wysopal photo Wysopal: We split them into three types. Crypto backdoors are when someone designs crypto that they can come back to and easily break. Then there are system backdoors--that’s the rootkit phenomenon, when an attacker finds a vulnerability, gets root access and then installs a rootkit for continuing access. But the one we were focused on is the application backdoor. This is when the software is being developed legitimately, but someone has subverted the development process and has modified that legitimate application with code that is not supposed to be there. All of our research focused on this last category. Our thesis is you can’t just look for standard vulnerabilities, which are essentially developer mistakes. You have to look for other risks that are intentionally put in code or sometimes put in but