Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com)

Posted by BeauHD on from the security-risk dept.

In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.

10 of 172 comments (clear)

  1. Two Choices by sehlat · · Score: 5, Insightful

    Either let nobody review the code, or let everybody in the world who wants to look at it review it. I rather suspect that crowdsourcing security reviews might actually make all code safer and more secure, if only because there WILL be friendly eyes going through it and proofreading the code.

  2. The end of the article is laughable by Anonymous Coward · · Score: 5, Insightful

    “As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”

    Yeah right and national security letters are a figment of my imagination...

  3. Wrong by Anonymous Coward · · Score: 5, Insightful

    It is unreviewed proprietary source code is what poses the most significant risk. Any government technology department that fails to do a source code review of a product before deployment is committing malpractice. If a vendor refuses to cooperate their product should be barred from competition.

  4. Says volumes by nehumanuscrede · · Score: 5, Insightful

    about how much he believes in the security of his own software.

    The best stuff is that which can stand up to peer review and intense scrutiny, yet retain its trust level.

    Given a choice between a closed source super-secret-trust-us-its-secure platform or an open source peer-reviewed-I-dare-you-to-break-it one, guess which one I would prefer to go with ?

    1. Re:Says volumes by swillden · · Score: 5, Insightful

      By keeping the algorithm a secret then we have effectively added a few more bits to the key.

      You didn't, really.

      If the attacker has your binary, decompiling it is not hard. I don't even have to decompile it in most cases, merely watching how the pattern of memory accesses is generally enough to identify at least the class of algorithm used (there aren't that many), and examination of S boxes etc., tells the rest. And if the algorithm you used is remotely close to breakable -- by brute force or any other means -- then you're hosed.

      Obscurity is very foolish except in one case: security hardware which has internal storage, and can't practically be updated. A good example is a smart card chip. In that case, all you can do is do the best job you can on the software, and the best job you can do on the hardware (whose job is partly to deny the attacker access to your software), and then keep it secret. Assuming the hardware doesn't leak it, and you don't leak it, then the attacker can only blindly fuzz the device to look for vulnerabilities.

      In practice, though, smart card makers don't do that either. They do provide full details of hardware and software, including source code, to a couple of highly-capable test labs, who spend many months poring through all of it as well as fuzzing it, attempting physical penetration of the hardware and everything else they can think of.

      If your organization did that, hired multiple outside teams of extremely talented people to attack your implementation, and you kept the attacker away from the binary as well as the source, then perhaps you gained something from the obscurity. If not, you just fooled yourselves, and made your product weaker than it would have been if you had published the design and the source code for the world to beat on.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Oh, Really? by Bruce+Perens · · Score: 5, Insightful

    I've published the source code of my own products since about 1987. The difference between Symantec and me is that I give the source code to everyone, and I give them an incentive to read the code, because they can also redistribute and modify it, and put it to any use.

    And of course a national entity that wants to enough, like the government of Russia, is going to get a look at the Symantec source code even if it means getting someone into a job there to do it. So, isn't Symantec just saying that their proprietary paradigm is a poor one from a security perspective?

    --
    Bruce Perens.
    1. Re:Oh, Really? by alvinrod · · Score: 3, Insightful

      That's a poor argument. It's hard to count the value of open source software because in many cases their is no charge. The world wouldn't be anywhere near where it is now if there were no Linux, Apache, or various other open source products that are used the world over if everyone were stuck buying some commercial product that wouldn't necessarily even be as good.

      A lot of developers of proprietary software still use open source tools. Both git and SVN are among the most popular version control systems and very little collaborative work could occur on the levels required today without tools like that. That developers can freely use and improve those tools just means that money can be spent elsewhere. How many billions would need to be spent if FOSS like that didn't exist?

  6. Good and bad nations? by AHuxley · · Score: 4, Insightful

    Who gets a review?
    USA, UK, NZ, AU, Canada?
    Some of the more trusted NATO nations? All of NATO? Nations wishing to join NATO soon?
    Some other nations? A China? Brazil? Japan?
    Why would any nation buy into a security product they have not seen all the code to?
    Other developers will just offer their products for review. How long before nations just say no review, no buy?

    --
    Domestic spying is now "Benign Information Gathering"
  7. Re:Don't Waste Your Money by sittingnut · · Score: 5, Insightful

    usa government (and its cronies) logic :
    kaspersky software finds (as it is supposed to) nsa's new malware in a nsa contractor's private computer. alerts hq, russian gov perhaps hears about it. kaspersky is a security threat.
    meanwhile symantec never finds any nsa malware. symantec wont let others examine its source. symantec is patriotic!

  8. Re: Don't Waste Your Money by sittingnut · · Score: 5, Insightful

    how come some low id Slashdot accounts are pushing the Kremlin line recently? Is it anything to do with a comment on the 20 year anniversary story saying these accounts are worth money or has the Slashdot database been hacked?

    may be "low id slashdot accounts" prefer openness, individual freedom, and critical thinking, over secrecy, "security"(as defined by deep state), and propaganda.