By Norman Yue – Chief Technology Officer
Recently, I stumbled across an interesting blog post about trusting security software on Reddit (http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html). This got me thinking, and kicked off a few conversations – to be honest, pretty much any open source software can be backdoored, and a good number of open source software packages have been/still are. It doesn’t need to be an obvious backdoor – simply omitting a security control, or rendering it weaker than it could be, could be just as effective (and much, much more difficult to detect during a source code audit).
For an attacker, the payoff is potentially huge, depending on the particular software being backdoored (just imagine if a tool such as nmap, or some FIM software, was to be backdoored). The cost can range from the attacker putting his hand up to “maintain” an open source WordPress plugin, to going after something unrelated and ending up with access to the source code repository of a popular security tool in his/her lap. Continue reading