Endpoint Security Vendors Allegedly Allowed Russian Code Review
According to a recent report by Reuters, endpoint security solution providers Symantec, McAfee, Micro Focus’ ArcSight, and SAP are coming under scrutiny for allowing Russian government officials to review the source codes of their respective platforms and solutions.
Russian regulations dictate that tech companies that wish to sell their products in the Russian marketplace must submit their source code for review by internal defense agencies. However, this review requirement have been met with concern by U.S. lawmakers and security experts; many of the examined vendors also protect major U.S. government agencies, including the Pentagon, the NASA, the State Department, and the FBI. Theoretically, Russian officials could use the intimate knowledge of the solutions’ source code to bypass their detection methods or otherwise exploit discovered vulnerabilities.
The vendors that have been alleged to be submitting to this review process contend that do so in secure settings where no code could be altered or removed, and only under intense surveillance by the vendor with no recording devices or even pencils allowed. However, as of late 2017 Symantec and McAfee no longer allow review by Russian authorities, and Micro Focus has begun restricting them.
McAfee declined further comment to Reuters. Symantec has denied all allegations of Russian authorities seeing their most recent source code and that they have considerably updated their source code since their last Russian evaluation. In an emailed statement, the vendor said “We have no reason to believe that prior reviews impacted the security of our products.”
According to Steve Quane of Trend Micro: “Even letting people look at source code for a minute is incredibly dangerous,” as researchers can easily deduce vulnerabilities with a quick glance. The U.S. government can take decades before updating their security software.
These new allegations raise questions about how solutions providers can balance the demands of a global marketplace with the safety of their codes.