Too good to be true…

I was talking to an old friend at the recent Mobility Day held at the Microsoft Office near Boston and he brought up an incident that I have seen happen to others.  I realized though that it isn’t something talked about often so it seemed like perfect blog fodder.

He told me of working with a large bank in Boston (that doesn’t really narrow the list down) where outsourcing was literally a requirement based on the budget.  The code for the bank system was developed by a Russian firm that showed great talent.  Unfortunately they also showed great talent for deciet.  The code delivered had 3 backdoors in it that would have allowed easy access to account data and possibly to money.  After ripping out the offending code after doing a very wise line by line code review the system was deemed safe.  How often has this happened without it being caught?  The X-Files premise, “Trust No One“ is actually correct.  I don’t mean to indicate that only off-shore firms would do this, quite the contrary, but I think the odds go up based on how subject to prosecution the developers would find themselves if discovered.

This also brings up what I think is the biggest fantasy of all.  The one that asserts that open source code is inherently more secure than commercial software.  We have examples from the last 12 months where some of our selfless open source contributors were not so selfless after all.  It should be no secret based on the main subject of my entire blog that I think that security is the place where all the action will be in the next 5 years.  This translates to where all the cost will be as well.

My point is that you must truely Trust No One.  If you decide to use open source because it is cheaper then you are deluding yourself unless you include the cost of doing a complete, line by line code review before implementing it.  The advantage of using commercial / proprietary products is that if you buy it from a company and you make sure it is one that you can sue for enough money to matter if they put in a backdoor, then that is your hedge against the threat.  Always ask yourself the question of what is preventing this developer from putting in a backdoor.