How do source code reviews of security products work?

Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains what to know about these reviews.

Cybersecurity products by U.S. companies such as Cisco, IBM and Microsoft are reportedly being subjected to source code reviews by Russian government agencies before they can continue selling their products in the country. This has raised many privacy and security concerns. How do these types of source code reviews typically work, and are there any risks of which vendors should be aware?

According to market researcher IDC, the Russian information technology market is expected to be worth $18.4 billion this year. However, to sell cybersecurity products in Russia, companies like IBM, Cisco, SAP, Hewlett Packard Enterprise (HPE) and McAfee have had to allow Russia to conduct source code reviews of their products. Given the rising tensions between Russia and the West, Russian authorities want to ensure foreign intelligence agencies haven't embedded backdoors or other code into security products that could be used to attack Russian systems.

It's not unusual for government agencies to require source code reviews before purchasing IT products. In the United States, the source code of software supplied under defense contracts and other sensitive areas is often audited. However, there must be a high degree of trust and a robust nondisclosure agreement between the vendor who is opening up the source code -- which is of extremely high value -- and the accredited third-party that reviews it.

Companies tasked with these reviews are subject to strict and ongoing audits. For example, vendors that want to have their software validated in accordance with Federal Information Processing Standard Publication 140-2, a U.S. government requirement for all unclassified uses of cryptography, use Cryptographic Module Testing laboratories accredited under the Cryptographic Module Validation Program.

In Russia, the Federal Security Service (FSB) is responsible for regulating and approving the sale of sophisticated technology products, and the agencies that perform security code reviews must be accredited by them. Reviews can also be conducted by the Federal Service for Technical and Export Control (FSTEC), a department of the Russian Ministry of Defense tasked with countering cyberespionage and protecting state secrets. FSTEC said in a statement that its reviews were in line with international practices.

A report by Reuters stated that any company refusing the security code reviews could see the FSB deny or indefinitely delay approval to import its products into Russia. According to Reuters, companies including Cisco, IBM, HPE and Microsoft had to submit to these security code reviews.

Records published by FSTEC show that from 1996 to 2013, it conducted source code reviews as part of the approval process for 13 technology products from Western companies. In the past three years, it carried out 28 reviews.

The companies involved say they only allow the code reviews to take place in secure facilities that can prevent code from being copied or altered; typically, this means a clean room where reviewers can inspect the code, but do little else. The level of risk depends on how secure the clean room is.

McAfee said the reviews are conducted at certified testing labs at company-owned premises in the U.S., while the reviews of SAP's source code take place in a secure SAP facility in Germany. However, any company certified to carry out quality assurance tests will have some association with its government, as their own certification process must be government regulated.

Symantec is one company that has stopped allowing the reviews because it wasn't convinced the testing agencies were fully independent from the Russian government. They and other experts are worried that testing agencies will share any vulnerabilities they discover with the Russian government, improving its cyberattack capabilities.

It is natural that governments will want assurances that companies from a hostile country haven't planted spyware in products they are going to purchase; Russian security company Kaspersky Lab, for example, is willing to undergo a source code review for the U.S. government to prove that the company isn't a Trojan horse for Russian spies.

While there is such a high degree of suspicion between the U.S and Russia, companies will have to decide whether they prefer to be shut out of the lucrative Russian market rather than risk their intellectual property potentially being compromised or copied.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in November 2017

Dig Deeper on Security operations and management