Is source code inspection a security risk? Maybe not, experts say

Some information security insiders raised a red flag when Russian requests to review security software code became known. The controversy may be a tempest in a teapot.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Moscow's recent demand to inspect the source code of American software vendors supplying the Russian government does not pose the severe security threat some are making it out to be, experts say, emphasizing that while sharing source code with a nation-state adversary does make it easier for an attacker to find security flaws, source code is far from the "keys to the kingdom" for bug hunters.

At a time of heightened cyberespionage between the US and Russia, Moscow's worries about possible backdoors in American software seem like legitimate concerns that justify a request for source code review, experts suggested.

The controversy began in October, when the news broke that Hewlett Packard Enterprise let a Russian defense agency review the source code for the company's ArcSight SIEM offering (since sold to UK firm Micro Focus International Plc), widely used in industry and also by the Pentagon, according to an October report by Reuters. The revelation sparked an outcry against sharing source code with foreign governments, and prompted Symantec’s CEO Greg Clark to tell Reuters “These are secrets, or things necessary to defend (software). It’s best kept that way.”

Well-known cybersecurity experts questioned this tempest in a teapot, however. "As someone who has hunted bugs for 15 years, having source code is barely advantageous," former NSA hacker Charlie Miller, best known for stunt hacking a Jeep a few years ago, tweeted. "Counterintuitive but true," former head of cybersecurity research at DARPA Peiter "Mudge" Zatko, agreed, "You find fewer bugs analyzing source code. You find more bugs evaluating binaries and augmenting with fuzzing."

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.