Potential Security Risks of integrating software add-in requests

[santeria]

I do security assessments for Add-ins/Add-ons, and a variety of supplemental pieces of software; this is mostly as a Technical advisory staff member;
The chair-person of the group has has asked me to looked for , in his words:

"I am looking for respected documentations and views that support the belief that software add-ins can pose a threat to a network infrastructure when not properly scrutinized and analyzed, especially when the add-in which one believes he or she is installing turns out be imbedded with malicious code."

So if you have any links to , for example IEEE articles, or similar, I would appreciate it, since the purpose is to gather as much material as possible in support of the contention above.

Thanks

[ua549]

There are many articles about software vulnerabilities, but the seem to be more specific than the general category of add-ins that you mentioned. Here is an article from yesterday about rogue DLL exploits.

[santeria]

Thanks.
Excellent link.
I am still searching in the publically available areas; so, if you have links , papers, or PDFs, I would appreciate anything supporting the original contention above.
Most of, it seems, the good papers and material in this area are of prohibitive cost for a government body, but I have yet to exhaust all my areas; Oh how I wish for a Lexis Nexis account !!

[ua549]

You are right about Lexis Nexis.
I had one before I retired.
It is worth every penny.
I justified the cost in time savings.

[santeria]

My wife had access to Lexis Nexis when she was working in the Library as a technical Librarian; Worth its weight in gold.
I am basically doing a lot of research based on my own experience, and her advice, since she is retired. However, if I had the cash I would get a Lexis Nexis account for source data for all sorts of things; there is pretty much little it can't do in finding things ( unless you do an overloaded Lexis Nexis search, which usually results in a Null find); But since I am trying to get this basic work right, justifying anything to management has to be overdone in my experience, you can have the Jack and Jill summary header, but if the core material gets the detail then the advisors to management usually can't say no ( well, they CAN, they jusat bury the report and recommendation :-).