Partners Troubled By Report That Russian Government Vets Vendor Source Code

Partners said they were concerned over a report Friday that said major security vendors – including Cisco, IBM, SAP, McAfee – and HPE handed over source code to Russian authorities for review.

The Reuters report, citing documents and unnamed sources, said the vendors submitted to requests for Russian authorities to review their products before they could be sold in the country. The products included antivirus, firewalls, and software, the report said.

The report noted that other vendors, most notably Symantec, have stopped supplying source code for review to Russian authorities over independence and security concerns.

[Related: Partners: Cisco's 'Unmatched' And 'Revolutionary' New Networking Platform Set To Drive Recurring Revenues]

Sponsored post

Some companies confirmed their participation in the reviews, saying the reviews are conducted in "clean rooms," where no code can be altered or transferred. According to the report, the requests are made by the Federal Service for Technical and Export Control and the Russian Federal Security Service and conducted by testing companies that appear to have links to the Russian military.

CRN reached out to Cisco, IBM, SAP, McAfee and HPE for comment. Cisco declined to comment on the report, citing a policy that it does not comment on individual reviews, but the company said it has a restrictive and secure process, in general, for third-party reviews.

In a statement, IBM says it does not provide back doors to its technology, but will on occasion submit to third-party reviews for reliability. It said it had not conducted reviews with Russia for "several years" and, when they did occur, it happened in "highly-secure IBM environments." McAfee, SAP and HPE did not respond to requests for comment.

While no specific hacks have been proven from these reviews, partners called the report and its implications "troubling." One executive, who has partnerships with most of the vendors mentioned in the report and did not want to be named, was eager to learn more about the precautions companies were likely to take in security reviews. "Bottom line, if they are handing over the source code, how hard do you think it is to write an exploit to that code?" the partner executive said.

Ethan Simmons, managing partner of Pinnacle Technology Partners, said the move could open up new market opportunities for companies like Cisco and didn't have much immediate impact on him as a U.S.-based partner. However, he said it could pose a major problem if the source code were leaked in some way to Russia or hackers.

"If it, in any way, helps someone else compromise a business here then that would be my big concern," Simmons said. "On face value, it looks great, but it's one of those things where it's a slippery slope where it could do more harm than good in the long term."

Richard Delaney, CTO and principal solutions architect at Mahwah, N.J.-based Delaney Computer Services, said he was also concerned about the possible implications of a source code leak, calling that "troubling."

"With Cisco [and other vendors] sharing information with these folks, you have the potential for those trade secrets and security secrets slipping right into the bad guys' hands," Delaney said.

Gabriel Quiroz, technical services lead and network engineer at Delaney Computer Services, said it's normal to allow source code reviews through things like the Cisco Technology Verification Services. However, he said putting the source code into third-party hands for review, such as described in the Reuters report, takes the source code out of the company's controlled environment and opens it to potential exposure. From there, he said hackers could more easily discover backdoors and vulnerabilities in the companies' security solutions.

"It's troubling, for sure," Quiroz said.

Quiroz said the bigger implication for companies like Cisco in the wake of this report could come in the form of a loss of public trust in their security solutions.

"In the end, I think it will come down to the public trust. That may be their issue," Quiroz said. "They may find that in the public eye a lot of customers might find it troubling and use other solutions."