Cisco SSH vulnerability sparks debate over backdoors

Dan Cornell, CTO of Denim Group, an application security consultancy, noted that shipping devices with default SSH key pairs “might be a major issue, but it isn’t surprising. Stuff like this happens all the time.”

Cornell said in order for the Cisco SSH key pair to be considered a backdoor it would have had to have been left intentionally, but “nothing that has been reported so far provides any insight into the reasoning for the devices shipping with the default key pair.”
“That said, a scary thing about security vulnerabilities is that any security vulnerability could be a backdoor — if it was inserted into the product intentionally. That is actually the easiest way to insert backdoors into many systems because it provides the developer or vendor with deniability. ‘I’m sorry — I made a coding mistake’ is very difficult to refute, especially given the continuing high incidence and prevalence of vulnerabilities in software systems.”
Gula said it wouldn’t be “fair to call this a backdoor.”

About Denim Group

Denim Group is the leading secure software development firm, serving as a trusted advisor to customers on matters of software risk and security. The company builds software for the most security conscious while helping organizations assess and mitigate risk within their existing software. Denim Group's flagship ThreadFix product accelerates the process of software vulnerability remediation, reflecting the company's rich understanding of what it takes to fix application vulnerabilities faster. Denim Group has emerged as a strong contributor to the larger application security community and has actively participated in the Open Web Application Security Project (OWASP) since shortly after its inception.

Among many other awards, Denim Group has landed on the "Inc. 5000" list - which recognizes the country's 5000 fastest-growing private companies - for five years in a row. In addition, the San Antonio Business Journal named Denim Group as one of the "Best Places to Work" in the city.

###

Denim Group is a registered service mark of Denim Group, Ltd.
Other names and brands may be claimed as the property of others.