Working with more than 50 malicious backdoors written over the last 10 years we show how insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. These holes are often put in place for seemingly good reasons to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. However, we'll consider what happens when insiders aren't so pure of heart, including logic bombs and backdoors that allow them to embezzle funds, steal private information, or exact revenge if they become disgruntled.
Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss obvious techniques defenders should employ, outline obvious techniques attackers will apply, and the theoretical limits of the problem. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with the head-to-head results of a face-off between modern static analysis and the best backdoors we've come across.