Outsource vulnerabilities - Embedded.com

Outsource vulnerabilities

Microsoft's decision to let Windows XP auto-download updates makes a lot of sense. It's a great way to disseminate security upgrades and bug fixes. As a user I have to believe that my computer's operating system is cheating entropy and improving over time.

But what's really going on? XP users have, in effect, opened a portal into their machines, which allows our pals in Redmond to make changes at will. What information is being uploaded? Are the bug patches benign? Could one malicious programmer at Microsoft flood the Wintel space with some horrible infection?

The answer is: Trust Microsoft. Fact is, that's worked pretty well so far.

But now the New York Times is reporting a new threat to software — especially to embedded systems. Though no specific instances have as yet surfaced, many people have expressed concerns that outsourced software, particularly software that's created in developing countries, may have maliciously-installed security vulnerabilities.

Officials fear that organized crime, cyberterrorists — or simply rogue programmers — may secretly infiltrate overseas software development efforts. Pakistan, the Philippines and Russia are mentioned as being the biggest threats.

The company contracting for the project has no idea what's inside the delivered code. Most outfits figure if it works, it's done. It's perfect if it passes the tests. Yet sleeper code could lurk that remains dormant for a time and then unleashes mayhem.

Currently most contract work takes place in India, where developers have a strong sense of the Right Way to build software. Inspections ensure that no vulnerabilities slip in. I'm convinced the biggest of these outfits jealously guard their reputations by conducting very effective inspections. One cannot help but wonder if the smaller, hungrier, companies are as thorough. Are developers in other countries as disciplined? Does local management insist on a careful inspection process? Do the customers understand and audit the process?

You can almost define software as being that component of a system that's invisible, essential to a system's operation but which no one ever sees. The open source movement is one powerful deterrent to code with back doors. But open source will never provide the security safeguards needed by embedded systems. The market is too fragmented and specialized; how many folks are going to read the code for your smart toaster?

The head of one Indian contract software company, said “We can guarantee, basically, that the code we deliver will be bug-free and will perform to specifications and will not have holes in it.”

Bug-free code? That's patently absurd. Is the hole-free comment equally ridiculous?

Jack G. Ganssle is a lecturer and consultant on embedded development issues. He conducts seminars on embedded systems and helps companies with their embedded challenges. He founded two companies specializing in embedded systems. Contact him at . His website is .

Take the poll

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.