What You Need to Understand About Software Security

In part three of the “Two Factors that Affect Software Security” blog series, we dive deeper into the security of the engineers themselves that are responsible for creating software solutions. As manufacturers continue to focus on driving down development costs, they have often chosen to use outsourced/contract software programmers.  

In 2023 and 2024, FBI Director Christopher Wray spent considerable time warning the country for over a year that the Chinese government poses a 'broad and unrelenting' threat to U.S. critical infrastructure. And it’s not all about breaking through a firewall and social engineering. For example, a 2024 New Fortress Information Security Research Report found that approximately 90% of the software used by U.S. energy companies contains code created by Russian & Chinese developers. It is unknown how much of this code is compromised and to what extent. However, the report further stated that software with Russian or Chinese-made code is 2.25 times more likely to have vulnerabilities and that the “software is three times more likely to have critical vulnerabilities.” 

In addition, research from SecurityWeek showed that North Korea (and to some extent China) is using nation-state operatives to pose as fake remote workers to infiltrate US companies. Part of this is to help North Korea fund their nuclear program. However, attackers also performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. 

Another SecurityWeek report showed that the incident I just cited above was not an isolated case. There have been hundreds of recent attempts by North Korea to infiltrate US companies with software engineers to steal information and plant malware — all while the engineers are making money to help fund North Korea’s activities. 

If that doesn’t make you feel concerned, consider this. A 2022 report from Georgetown University’s Center for Security and Emerging Technology found that state and local entities in almost every U.S. state are using foreign technology (phones, cameras, etc.) that is banned by the federal government. This has created an enhanced security risk across the country for all levels of government.  

As a side note, while this blog focuses mainly on the US, this is a global problem. For instance, according to Business Insider, South Korea decided to remove 1,300 cameras from its military bases after discovering that the devices had software designed to send camera feeds back to a Chinese server. Concerns like this are why President Biden sought to enact controls over the use of software in Chinese manufactured cars. Rear Adm. Jay Vann, commander of the United States Coast Guard’s Cyber Command, has also complained about the use of undocumented “Chinese software” and cellular modems that are installed on approximately 80% of ship to shore cranes used in United States trade ports. The software and modems were undocumented on the bill of sale for the cranes manufactured by a Chinese company called ZPMC. 

What should hopefully be clear by now is that there is a clear and present danger from using both foreign made software product and software engineers from foreign countries. The threat is credible and documented — meaning there is risk and liability to companies and government organizations purchasing solutions under those considerations.  

Axellio uses United States citizen workers and does not overly rely on the use of open-source code. Axellio carefully manages its use of open-source components and rigorously tests and evaluates the code used to reduce exposure to vulnerabilities. If you want additional information, check out this sales brief on the Axellio website.