Code audit is required. Security through obscurity is evil
On January 25, Reuters news agency reported that firms such as McAfee, SAP, and Symantec allowed Russian intelligence agencies to investigate the source code of their products, and this “potentially endangers computer networks of at least a dozen federal agencies in the United States.” This article is intended to tell about the audit of the source code and which companies allow it, as well as consider the thesis that “Russia’s permission to study the source code of such software solutions may lead to the identification of unknown vulnerabilities that can be used to undermine the US network security”.
The main idea of ​​the Reuters article is that the request for the source code for auditing is a bad and dangerous practice. This is simply not true. Code auditing is a very widespread regular practice used by both companies and professional developers, information security experts, to ensure the security of the software being installed. Also in the article of the news agency it is noted that "Reuters did not find any evidence that the audit of the source code was important for conducting cyber attacks." For us in the EFF, it is commonplace to audit the source code of any software we choose to use.
Let us emphasize for clarity: we don’t want to downplay foreign threats to US cybersecurity or instigate the exploitation of software vulnerabilities; on the contrary, we want to emphasize that open source and code auditing are among the strongest security measures. That is why EFF seriously supports the distribution and use of open source software.
Not only software manufacturers prohibit foreign governments from auditing the code, trade agreements are used now and to prohibit countries from requesting an audit of the code of software packages important to them. The first trade agreement with such a restriction was the Trans-Pacific Partnership (CPTPP also known as TPP), which should be signed in March of this year.
')
A similar restriction is proposed to be included in the renewed agreement on the North American Free Trade Zone (NAFTA) and in the upcoming bilateral agreement with the EU. EFF has already stated its position on this issue : such bans on mandatory code auditing create obstacles for legalizing measures to confirm the security and quality of software such as VPN and secure communication tools, as well as devices such as routers and IP cameras.
The implicit assumption that “keeping our source code closed increases our security” is very dangerous. Researchers and experts in the field of information security periodically demonstrate to us that security, mainly relying on security through obscurity, simply does not work . Even worse, it gives IT professionals a false sense of security and supports these corresponding bad approaches to information security.
Even in times of political storms and uncertainty, we should not lose our heads. Allowing for auditing of the source code of programs is not a challenge to our national security — in fact, we really need more of them.
The main idea of ​​the Reuters article is that the request for the source code for auditing is a bad and dangerous practice. This is simply not true. Code auditing is a very widespread regular practice used by both companies and professional developers, information security experts, to ensure the security of the software being installed. Also in the article of the news agency it is noted that "Reuters did not find any evidence that the audit of the source code was important for conducting cyber attacks." For us in the EFF, it is commonplace to audit the source code of any software we choose to use.
Let us emphasize for clarity: we don’t want to downplay foreign threats to US cybersecurity or instigate the exploitation of software vulnerabilities; on the contrary, we want to emphasize that open source and code auditing are among the strongest security measures. That is why EFF seriously supports the distribution and use of open source software.
Not only software manufacturers prohibit foreign governments from auditing the code, trade agreements are used now and to prohibit countries from requesting an audit of the code of software packages important to them. The first trade agreement with such a restriction was the Trans-Pacific Partnership (CPTPP also known as TPP), which should be signed in March of this year.
')
A similar restriction is proposed to be included in the renewed agreement on the North American Free Trade Zone (NAFTA) and in the upcoming bilateral agreement with the EU. EFF has already stated its position on this issue : such bans on mandatory code auditing create obstacles for legalizing measures to confirm the security and quality of software such as VPN and secure communication tools, as well as devices such as routers and IP cameras.
The implicit assumption that “keeping our source code closed increases our security” is very dangerous. Researchers and experts in the field of information security periodically demonstrate to us that security, mainly relying on security through obscurity, simply does not work . Even worse, it gives IT professionals a false sense of security and supports these corresponding bad approaches to information security.
Even in times of political storms and uncertainty, we should not lose our heads. Allowing for auditing of the source code of programs is not a challenge to our national security — in fact, we really need more of them.
Source: https://habr.com/ru/post/357462/
All Articles