Your Software Is Only as Secure as Your Developers

Your Software Is Only as Secure as Your Developers

As we go to press, Microsoft has issued its 65th security bulletin of the year disclosing a security flaw of critical severity in most versions of its popular Windows operating system. Microsoft urges users of Windows 2000, Millennium, 98, and NT 4.0 to download a software patch from the company's security Web site. Attackers could exploit a vulnerability in the software that underlies many database functions and take over the user's computer. Microsoft's newest version, Windows XP, does not have the problem.

In the U.S. it was recently discovered that a substantial percentage of airport security workers - who are supposed to assure that no one boarding a flight is using false identification - are using false identification themselves. Quite a few are also criminals; hundreds have been arrested in the past couple of weeks. These people were hired to protect us from people just like them.

The largest security hole in the country's information technology infrastructure is not some new type of virus or an outside hacker trying to get into corporate or government systems; it's developers working on software projects all over the world. In the current technology downturn it has become very popular to turn to offshore outsourcing, sending IT projects all over the world using the Internet as the conduit. Every Fortune 500 company and U.S. government office uses software created by people of unknown backgrounds and intentions. It is a standard practice on large technology projects for one company to act as the prime contractor and have multiple specialty companies act as subcontractors. For example, Microsoft regularly has source code written in India.

There are absolutely no development security standards in place anywhere in the industry. What is checked is that the price is as low as possible and that the code works. Nobody ever checks with the FBI, CIA, or anyone else to assure that the developers working on the projects do not have a second agenda. For all you know, Osama bin Laden himself or people who think like him are writing part of the source code for your current project, gaining intimate knowledge of every vulnerability of the system being built and any other systems it will interface with. Remember, you stand on line at airports all over the U.S. for hours to go through make-believe security checks staffed by people with false identification and criminal backgrounds.

I know this may sound unbelievable, but that is exactly what the U.S. Customs Service thinks it found last night in a raid on Ptech Inc. They believe Ptech is linked to one of bin Laden's alleged money men, a Saudi multimillionaire named Qassin al-Kadi. If true, it is not a good thing. Ptech has worked with Aetna, Allegheny Energy Supply, Booz Allen Hamilton, the FAA, the FBI, IBM Global Services, MetLife, Motorola, NATO, Pricewaterhouse Coopers, Southern California Edison, Sprint, the Air Force, the Department of Energy, the Department of Education, the Department of Veterans Affairs, the House of Representatives, the Forest Service, the Postal Service, and Weyerhaeuser.

After this revelation it should be evident to any rational person that it is not enough for any software house - no matter how big - to say they have some type of unaudited security system in place and that we shouldn't worry. What the industry needs is to work with government to put in place an independent third party to act as a central clearing house that at least seriously attempts to assure that terrorists or terrorist sympathizers are not actively mining software projects with endless trouble.

Anyone who says that the thought of methodical software terrorism and cyber warfare is far-fetched, that the industry does not need to be hyper-vigilant, and that it could never happen only has to look at the past and see that it was not too long ago that U.S. television featured shows that focused on the first World Trade Center bombing. These shows always ended with the assurance that the people who did it were safely in jail and there was no way they could ever knock down one of the buildings. Well, guess what? The next time they tried to knock them down - they succeeded. It took 10 years for them to figure it out, but they did.

More Stories By Jacques Martin

Jack Martin, editor-in-chief of WebSphere Journal, is cofounder and CEO of Simplex Knowledge Company (publisher of Sarbanes-Oxley Compliance Journal, an Internet software boutique specializing in WebSphere development. Simplex developed the first remote video transmission system designed specifically for childcare centers, which received worldwide media attention, and the world's first diagnostic quality ultrasound broadcast system. Jack is co-author of Understanding WebSphere, from Prentice Hall.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.