Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How do source code reviews of security products work?

Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains what to know about these reviews.

Cybersecurity products by U.S. companies such as Cisco, IBM and Microsoft are reportedly being subjected to source...

code reviews by Russian government agencies before they can continue selling their products in the country. This has raised many privacy and security concerns. How do these types of source code reviews typically work, and are there any risks of which vendors should be aware?

According to market researcher IDC, the Russian information technology market is expected to be worth $18.4 billion this year. However, to sell cybersecurity products in Russia, companies like IBM, Cisco, SAP, Hewlett Packard Enterprise (HPE) and McAfee have had to allow Russia to conduct source code reviews of their products. Given the rising tensions between Russia and the West, Russian authorities want to ensure foreign intelligence agencies haven't embedded backdoors or other code into security products that could be used to attack Russian systems.

It's not unusual for government agencies to require source code reviews before purchasing IT products. In the United States, the source code of software supplied under defense contracts and other sensitive areas is often audited. However, there must be a high degree of trust and a robust nondisclosure agreement between the vendor who is opening up the source code -- which is of extremely high value -- and the accredited third-party that reviews it.

Companies tasked with these reviews are subject to strict and ongoing audits. For example, vendors that want to have their software validated in accordance with Federal Information Processing Standard Publication 140-2, a U.S. government requirement for all unclassified uses of cryptography, use Cryptographic Module Testing laboratories accredited under the Cryptographic Module Validation Program.

In Russia, the Federal Security Service (FSB) is responsible for regulating and approving the sale of sophisticated technology products, and the agencies that perform security code reviews must be accredited by them. Reviews can also be conducted by the Federal Service for Technical and Export Control (FSTEC), a department of the Russian Ministry of Defense tasked with countering cyberespionage and protecting state secrets. FSTEC said in a statement that its reviews were in line with international practices.

A report by Reuters stated that any company refusing the security code reviews could see the FSB deny or indefinitely delay approval to import its products into Russia. According to Reuters, companies including Cisco, IBM, HPE and Microsoft had to submit to these security code reviews.

Records published by FSTEC show that from 1996 to 2013, it conducted source code reviews as part of the approval process for 13 technology products from Western companies. In the past three years, it carried out 28 reviews.

The companies involved say they only allow the code reviews to take place in secure facilities that can prevent code from being copied or altered; typically, this means a clean room where reviewers can inspect the code, but do little else. The level of risk depends on how secure the clean room is.

McAfee said the reviews are conducted at certified testing labs at company-owned premises in the U.S., while the reviews of SAP's source code take place in a secure SAP facility in Germany. However, any company certified to carry out quality assurance tests will have some association with its government, as their own certification process must be government regulated.

Symantec is one company that has stopped allowing the reviews because it wasn't convinced the testing agencies were fully independent from the Russian government. They and other experts are worried that testing agencies will share any vulnerabilities they discover with the Russian government, improving its cyberattack capabilities.

It is natural that governments will want assurances that companies from a hostile country haven't planted spyware in products they are going to purchase; Russian security company Kaspersky Lab, for example, is willing to undergo a source code review for the U.S. government to prove that the company isn't a Trojan horse for Russian spies.

While there is such a high degree of suspicion between the U.S and Russia, companies will have to decide whether they prefer to be shut out of the lucrative Russian market rather than risk their intellectual property potentially being compromised or copied.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in November 2017

Dig Deeper on Government information security management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about other countries reviewing the security source code of U.S. products?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close