[ISN] Auditors warn of foreign risks to weapons software

InfoSec News isn at c4i.org
Fri May 28 08:40:08 EDT 2004 

Fowarded from: Technical Security Division - Lab <secureoffice at eircom.net>

This doesn't surprise me at all. Having worked for a European
Software/Hardware company who shall remain anonymous, on several
occasions the software team under went audits from the project
managers of some of the contracts we were working on.

Most of the coding was done by our engineering office in China whom I
dealt with on a daily basis and who provided the final builds, however
we were emphatically ordered by our management not to mention the
China office or the fact that they did any of our software.

Even in the company phone book the office was called the Quality
Assurance Team.

Some of clients included US DOD departments.

Need I say more!


-----Original Message-----
From: isn-bounces at attrition.org [mailto:isn-bounces at attrition.org] On Behalf
Of InfoSec News
Sent: 26 May 2004 08:30
To: isn at attrition.org
Subject: [ISN] Auditors warn of foreign risks to weapons software 

http://www.fcw.com/fcw/articles/2004/0524/web-gaosoft-05-25-04.asp

By Matthew French
May 25, 2004

The Defense Department's control of the source of weapons software came
under fire today in a report issued by the General Accounting Office, which
said overseas production of software creates an unacceptable security
environment.

"DOD acquisition and software security policies do not fully address the
risk of using foreign suppliers to develop weapon system software," auditors
wrote in the report. "The current acquisition guidance allows program
officials discretion in managing foreign involvement in software
development, without requiring them to identify and mitigate such risks.
Moreover, other policies intended to mitigate information system
vulnerabilities focus mostly on operational software security threats, such
as external hacking and unauthorized access to information systems, but not
on insider threats, such as the insertion of malicious code by software
developers."

The report said military officials recently adopted initiatives that could
curb the threat, but they have not yet implemented the initiatives
throughout the department.

Auditors cited weapons development as a particular concern, given the
potential ramifications should an enemy infect software with a malicious
code or a Trojan horse, the report said.

[...]

More information about the ISN mailing list