Understanding and Countering Insider Threats in Software Development

2008 International MCETECH Conference on e-Technologies (mcetech 2008) Pub Date : 2008-01-23 DOI:10.1109/MCETECH.2008.32

M. Franz

{"title":"Understanding and Countering Insider Threats in Software Development","authors":"M. Franz","doi":"10.1109/MCETECH.2008.32","DOIUrl":null,"url":null,"abstract":"E-commerce and e-government depend on trustworthy software platforms. Unfortunately, barely a week goes by without the discovery of a \"critical\" software vulnerability that would give a remote party complete access to a large number of network-attached computers. Considering the rising financial incentives and the immeasurable strategic importance of such vulnerabilities, one should assume that there are parties within commercial software companies that are actively scouting out (and perhaps even inserting) such errors for future exploitation. For various reasons that we touch on briefly, software manufacturers appear to be unwilling to even discuss this possibility. We explain why open-source software development is not a solution, either. We then outline an approach that significantly reduces the problem, even when malicious insiders are part of the software development team. Our approach is based on running several slightly different versions of the same software in parallel on different cores of a multiprocessor. As a beneficial side effect, our method is able to locate actual programming errors.","PeriodicalId":299458,"journal":{"name":"2008 International MCETECH Conference on e-Technologies (mcetech 2008)","volume":"78 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 International MCETECH Conference on e-Technologies (mcetech 2008)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MCETECH.2008.32","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

E-commerce and e-government depend on trustworthy software platforms. Unfortunately, barely a week goes by without the discovery of a "critical" software vulnerability that would give a remote party complete access to a large number of network-attached computers. Considering the rising financial incentives and the immeasurable strategic importance of such vulnerabilities, one should assume that there are parties within commercial software companies that are actively scouting out (and perhaps even inserting) such errors for future exploitation. For various reasons that we touch on briefly, software manufacturers appear to be unwilling to even discuss this possibility. We explain why open-source software development is not a solution, either. We then outline an approach that significantly reduces the problem, even when malicious insiders are part of the software development team. Our approach is based on running several slightly different versions of the same software in parallel on different cores of a multiprocessor. As a beneficial side effect, our method is able to locate actual programming errors.

查看原文本刊更多论文

理解和应对软件开发中的内部威胁

电子商务和电子政务依赖于可靠的软件平台。不幸的是，几乎每周都有“关键”软件漏洞被发现，这些漏洞可以让远程方完全访问大量连接网络的计算机。考虑到不断增长的经济激励和这些漏洞的不可估量的战略重要性，人们应该假设商业软件公司中有一些人正在积极地寻找(甚至插入)这些错误，以便将来利用。由于各种原因，软件制造商似乎甚至不愿意讨论这种可能性。我们解释了为什么开源软件开发也不是一个解决方案。然后，我们概述了一种显著减少问题的方法，即使恶意的内部人员是软件开发团队的一部分。我们的方法是基于在多处理器的不同核心上并行运行同一软件的几个略有不同的版本。作为一个有益的副作用，我们的方法能够定位实际的编程错误。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2008 International MCETECH Conference on e-Technologies (mcetech 2008)

自引率

0.00%

发文量