Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HPE hit with security quandary after Russian ArcSight review

Reuters | Oct. 3, 2017
Sources indicate that HPE inadvertently let a Russian defence agency review the inner workings of cyber defence software used by the Pentagon.

HPE said no "backdoor vulnerabilities" were discovered in the Russian review. It declined to provide further details.

HPE said it allows Russian government-accredited testing companies to review source code in order to win the Russian defence certifications it needs to sell products to Russia's public sector.

An HPE spokeswoman said source code reviews are conducted by the Russian testing company at an HPE research and development centre outside of Russia, where the software maker closely supervises the process.

No code is allowed to leave the premises, and HPE has allowed such reviews in Russia for years, she said.

Those measures ensure "our source code and products are in no way compromised," she said.

Some security experts say that studying the source code of a product would make it far easier for a reviewer to spot vulnerabilities in the code, even if they did not leave the site with a copy of the code.

In a 2014 research paper, Echelon directors said the company discovered vulnerabilities in 50 per cent of the foreign and Russian software it reviewed.

Still, security analysts said the source code review alone, even if it yielded information about vulnerabilities, would not give hackers easy entry into the military systems. To infiltrate military networks, hackers would need to first overcome a number of other security measures, such as firewalls, said Alan Paller, founder of the SANS Institute, which trains cybersecurity analysts

Paller also said HPE's decision to allow the review was not surprising. If tech companies like HPE want to do business in Russia, "they don't really have any choice," he said.

HPE declined to disclose the size of its business in Russia, but Russian government tender records show ArcSight is now used by a number of state firms and companies close to the Kremlin, including VTB Bank and the Rossiya Segodnya media group.

The HPE spokeswoman said Reuters' questions about the potential vulnerabilities were "hypothetical and speculative in nature."

HPE declined to say whether it told the Pentagon of the Russian review, but said the company "always ensures our clients are kept informed of any developments that may affect them."

A spokeswoman for the Pentagon's Defense Information Systems Agency, which maintains the military's networks, said HPE did not disclose the review to the US agency. Military contracts do not specifically require vendors to divulge whether foreign nations have reviewed source code, the spokeswoman said.

The US military agency itself did not require a source code review before purchasing ArcSight and generally does not place such requirements on tech companies for off-the-shelf software like ArcSight, the Pentagon spokeswoman said. Instead, DISA evaluates the security standards used by the vendors, she said.

 

Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.