Is source code inspection a security risk? Maybe not, experts say

Some information security insiders raised a red flag when Russian requests to review security software code became known. The controversy may be a tempest in a teapot.

Moscow's recent demand to inspect the source code of American software vendors supplying the Russian government does not pose the severe security threat some are making it out to be, experts say, emphasizing that while sharing source code with a nation-state adversary does make it easier for an attacker to find security flaws, source code is far from the "keys to the kingdom" for bug hunters.

At a time of heightened cyberespionage between the US and Russia, Moscow's worries about possible backdoors in American software seem like legitimate concerns that justify a request for source code review, experts suggested.

The controversy began in October, when the news broke that Hewlett Packard Enterprise let a Russian defense agency review the source code for the company's ArcSight SIEM offering (since sold to UK firm Micro Focus International Plc), widely used in industry and also by the Pentagon, according to an October report by Reuters. The revelation sparked an outcry against sharing source code with foreign governments, and prompted Symantec’s CEO Greg Clark to tell Reuters “These are secrets, or things necessary to defend (software). It’s best kept that way.”

Well-known cybersecurity experts questioned this tempest in a teapot, however. "As someone who has hunted bugs for 15 years, having source code is barely advantageous," former NSA hacker Charlie Miller, best known for stunt hacking a Jeep a few years ago, tweeted. "Counterintuitive but true," former head of cybersecurity research at DARPA Peiter "Mudge" Zatko, agreed, "You find fewer bugs analyzing source code. You find more bugs evaluating binaries and augmenting with fuzzing."

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022