Backdoors used to be for tradesmen and a charlady. Now they are apparently a fixture of a modern appliances, popular with attackers. This backdoor vulnerability (or simply stupidity) in Barracuda security appliances makes us re-think trust that we have to have in our security providers. Again.
It is not only that it makes our firewalls, virus scanners, VPNs etc. open to the world and a dog. Adding insult to injury this access is undocumented, is protected by the weak password, and cannot be disabled. It is like leaving the key to your backdoors under the doormat.
The challenge that we all face is whether we can trust providers of our security fixtures. When appliances were simple it was possible to run a series of tests on them and rest reasonably assured that the quality was here. Not anymore. Now they are so complicated that we are unable to assess the quality – we must rely on the manufacturer’s word.
Trustworthiness is not only the property of the appliance and its software. It is, above all, the property of the manufacturer and operator of such an appliance. We have to accept our dependence on them, but we have to embed such a dependence in our risk analysis. There is no trustworthy device from a shady manufacturer. Fullstops.
Therefore, next time before you plug in the new shiny security appliance, think Trust Governance. Do some analysis with TraCoDA or some assessment with Trust-O-Meter. Otherwise you might be plugging in a wide open backdoor to the system you have a duty to care for.