Was Lack of Proper Code Analysis Tools a Root Cause of Juniper Networks Security Backdoors?

by

With the advancements of both cloud and mobile technologies, security remains a hot topic for every company. The number of reported instances of security backdoors due to faulty code or hardware continues to stagger. A recent article by Wired has brought forth another one of these unfortunate issues for a big player: Juniper. This technology giant has been providing networking and firewall solutions to companies, corporations, and the government for a number of years.

As a leader in networking technology, the last thing you want to hear is that a tech powerhouse like Juniper has found an application security problem. Two security issues were identified after a code review session outside of the company’s normal evaluation cycle. Security continues to remain a primary concern as more companies, government agencies, and even individuals rely on technology providers to manage data or maintain smooth operations.

What Security Gaps Were Found?

Juniper found “unauthorized” code embedded within the operating system they use for running their NetScreen firewalls. Unfortunately the embedded code had been part of the operating system for a long period of time and opened two separate security backdoors. This code resided in Juniper’s ScreenOS software and allowed hackers to do the following:

 

  1. Gain complete control of Juniper’s NetScreen firewalls.
  2. Decrypt and gain access to information sent through devices.

Once hackers gained administrative access to the firewall, they could then decrypt any encrypted traffic sent through the VPN (Virtual Private Network). As reported by MarketWatch in another related article, the embedded code containing the password for administrative access was designed to appear as software debugging code. This made it difficult during a typical review session to recognize the security problem.

Code Analysis is a Company’s First Line of Defense

Referred to as an encryption backdoor, this type of problem surfaces far more frequently than most would like to think. Routine evaluations of source code to identify defects and assess overall quality have become common for software. Unfortunately, the rapid speed at which new features and services must be delivered often causes needed reviews to be swept under the rug or code to be left unidentified. For Juniper, the problem was strictly embedded code that was not found during their normal code analysis cycles.

After identifying the vulnerabilities, Juniper took quick action by releasing patches for ScreenOS. However, firewalls using certain versions of ScreenOS were still vulnerable. Even with the quick action of Juniper to resolve the problem, the potential for further attacks using the identified backdoor is high. In Juniper’s defense, the unauthorized code was not easy to identify, but with further analysis could have been found sooner.

Source code reviews are typically viewed as a means to assess developer productivity and manage quality. This process may also be used to identify defects within an application. Code analysis tools make it possible for companies to locate these issues faster. While not every security backdoor is 100% preventable, this recent discovery by Juniper is another shining example of why code analysis is essential.

References:

http://www.marketwatch.com/story/juniper-networks-security-issue-raises-more-questions-about-backdoors-2015-12-28

http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo VP Corporate Marketing at CAST
Pete Pizzutillo is Vice President of Corporate Marketing at CAST. He is responsible for leading the integrated marketing strategies (digital and social media, public relations, partners, and events) to build client engagement and generate demand. He passionately believes that the industry has the knowledge, tools and capability such that no one should lose customers, revenue or damage their brand (or career) due to poor software. Pete also oversees CAST’s product marketing team whose mission is to help organizations understand how Software Intelligence supports this belief. Prior to CAST, Pete oversaw product development and product management for an estimating and planning software company in the Aerospace and Defense market. He has worked in several industries in various marketing roles and started his career as an advertising agency art director. He is a graduated of The Pennsylvania State University with degrees in Business Administration and Art. Pete lives in New Jersey with his wife and their four children. You can connect with Pete on LinkedIn or Twitter: @pizzutillo.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|