Auditors warn of foreign risks to weapons software

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp

By Matthew French 
May 25, 2004

The Defense Department's control of the source of weapons software
came under fire today in a report issued by the General Accounting
Office, which said overseas production of software creates an
unacceptable security environment.

"DOD acquisition and software security policies do not fully address
the risk of using foreign suppliers to develop weapon system
software," auditors wrote in the report. "The current acquisition
guidance allows program officials discretion in managing foreign
involvement in software development, without requiring them to
identify and mitigate such risks. Moreover, other policies intended to
mitigate information system vulnerabilities focus mostly on
operational software security threats, such as external hacking and
unauthorized access to information systems, but not on insider
threats, such as the insertion of malicious code by software
developers."

The report said military officials recently adopted initiatives that
could curb the threat, but they have not yet implemented the
initiatives throughout the department.

Auditors cited weapons development as a particular concern, given the
potential ramifications should an enemy infect software with a
malicious code or a Trojan horse, the report said.

"Unless program officials provide specific guidance, contractors may
favor business considerations over potential software development
security risks associated with using foreign suppliers."

As the amount of software on weapon systems increases, it becomes more
difficult and more costly to test every line of code. Although DOD has
several software tests through which an application must pass, the
possibility that stray code can pass through is always a concern.

"The program manager must know more about who is developing software
and where early in the software acquisition process, so that it can be
included as part of software source selection and risk mitigation
decisions," the report said.

Outsourcing software development has been a hot-button topic for more
than five years, as vendors are forced to balance the cost savings
with the potential security risks. A section in the House version of
the 2005 Defense authorization bill offers up to $50 million in grants
to DOD contractors to develop strategies to avoid outsourcing jobs,
including technology development.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org