Understanding and Countering Insider Threats in Software Development

E-commerce and e-government depend on trustworthy software platforms. Unfortunately, barely a week goes by without the discovery of a "critical" software vulnerability that would give a remote party complete access to a large number of network-attached computers. Considering the rising financial incentives and the immeasurable strategic importance of such vulnerabilities, one should assume that there are parties within commercial software companies that are actively scouting out (and perhaps even inserting) such errors for future exploitation. For various reasons that we touch on briefly, software manufacturers appear to be unwilling to even discuss this possibility. We explain why open-source software development is not a solution, either. We then outline an approach that significantly reduces the problem, even when malicious insiders are part of the software development team. Our approach is based on running several slightly different versions of the same software in parallel on different cores of a multiprocessor. As a beneficial side effect, our method is able to locate actual programming errors.