In our application security engagements, we frequently look out for security loopholes that are present in the application source code. Most of these loopholes happen because of certain assumptions in the application architecture, high level design and implementation. But, there are certain loopholes that are left in the application source code intentionally. Because of this reason, these inside jobs are termed as more malicious.
For example, let’s say that the application has a mail routine and sends billing details (credit card information) to the invoice admin. What if, an employee working in the development team, adds his email address to the mail routine so that he can know the credit card numbers and the transactions for some financial gain?. Every time, the invoice admin receives an email, this employee would also receive that information in BCC. Since he is in BCC list, invoice admin would not notice it. The security consultant might not notice this as he might think of this as a functional requirement.
For this reason, Fortify has come up with a rulepack called ‘Insider Threat RulePack’. The functionality of this rulepack is
1) Email Spying
2) Detecting Logic Bombs in the code.
3) Detecting Nefarious Communication
4) Detecting Backdoors.
5) Dynamic Code injection etc.
This rulepack makes it easier for the security consultant to detect malicious code left intentionally in the source code.
More on this rulepack can be found here.