On-demand application security testing firm Veracode has added detection for backdoors and malicious code to its services. The addition aims to tap into concerns about the integrity of code developed by outsourced contractors. Veracode’s SecurityReview provides application code review as an online subscription-based service. …
Offshoring - OutSourcing - Inhouse
Does any of it matter?
Each is liable as a security risk - and the risk tends to run depending upon how you reward the coders. People are more likely to backdoor you if you get the rewards mix wrong.
It is about trust, unless you are willing to wade in and crack out the code yourself.
That is why developer lead companies for software security do well technically, whilst marketing lead security companies use scare tactics.
I would say that offshoring is a bit daft, because you lose legal recourse and loyalty is near zero.
Inhouse, well that is a threat if you treat your development team badly, and don't give them a stake in the product.
OutSourcing hmm, well depends how you do it, if you hire contractors and give them a stake you will be ok. If you hire an outsourcing company who gets the stake, but their developers don't then you are close to offshoring again.
It boils down to trust and having a stake in the success of the product. If the code is open you can at least review it properly, though the cost of review can be prohibitive, and who is to say the reviewers may not introduce backdoors.
It does amuse me that they say it doesn't matter if they can see the source code or not. I would want that explained fully, because it sounds to me like some marketing dweeb asked a developer if source code was necessary to check for security holes, and got bored as the developer went into how IDA Pro worked. A debugger or disassembler, is no substitute for source code, and in many cases is now illegal to apply.
Static binary analysis has come a long way beyond IDA Pro which is essentially just a dissasembler. Veracode creates a high level representation of the software much like the parse tree that a compiler generates. This can then be scanned for security defects. Source code static analyzers don't scan source directly. Like Veracode they scan the parse tree. This means that Veracode's technology has the accuracy of a static source code scanner but can operate on 100% of the code base, including all the libraries you don't have source too.
1st Anonymous Coward: Source vs Binary
Someone said, "A debugger or disassembler, is no substitute for source code, and in many cases is now illegal to apply."
You have to remember that it is not the source which executes on the computer but rather a compiled binary and the two don't necessarily "match". This may be due to a number of reasons such as compiler optomizations. Flaws that don't appear in the source can manifest themselves in the binary and vice versa. A good example of this is the source calling memset() on some memory to scrub a cleartext password; yet this is optomized out by the compiler and so a security flaw is introduced in the binary. Thus reviewing the source would turn up nothing whereas reviewing the binary would.