Russia Gets Their Hands on Widely Used ERP Software Code

Last month, Reuters reported that three enterprise resource software providers SAP, Symantec and McAfee allowed Russia to review the software’s source code for vulnerabilities.

According to Reuters, “The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.”

As a requirement to enter the Russian market, these companies allowed the Russian defense agency to look over the source code of their products. According to Russian authorities, a review of source code is necessary to detect any flaw that could be used by hackers.

The process involves reviewing the code that makes up a software’s workings prior to placing it in high-risk markets such as the financial sector. These reviews take place within a lab where Russian reviewers can scan the code to look for issues, however they cannot download a copy or alter a copy of the code. These reviewers look for “backdoors”, hidden applications to allow spying that they believe may be embedded into the program. Although their case may make sense, revealing the source code of these products is a huge risk.

This process has the ability to reveal vulnerabilities that the Russians could use to exploit and hack into the software at a later time. These products are used by the Pentagon, NASA, the FBI and the US Army and Navy. Reuters has determined through careful analysis of federal documents that the potential risks to the US government from Russia could be more widespread.

In October of 2017, Hewlett Packard’s ArcSight software that is used to secure Pentagon computers was also reviewed by a Russian military contractor with ties to Russia’s security services. According to Reuters, “Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.”

While some experts believe that source code reviews do not compromise a product’s security. Symantec and McAfee no longer allow these reviews, due to growing concerns about security. However, according to Steve Quane, vice president at Trend Micro, there is certainly a way for hackers to gain insight just by examining the source code. Quane states, “Even letting people look at source code for a minute is dangerous. We know there are people who can do that, because we have people like that who work for us.”

Alexey Markov, president of Echelon which inspected the source code for ArcSight states, “his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety.” Yet, most individuals involved with any cyber security the United States disagree. Providing free ranging access to source code is dangerous and showing anyone the code outside of our country can pose a security risk.