McAfee announced it will no longer permit foreign governments to scrutinize its product source code for hidden backdoors, at the same time as Kaspersky Labs is offering to be more transparent with its source code.
A McAfee spokeswoman told Reuters her firm ended the reviews earlier this year after it spun off from Intel in April as an independent company but did not give a precise timeline for exactly when it stopped allowing reviews.
“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” the spokeswoman told the publication. “This decision is a result of this transition effort.”
The spokeswoman said the new policy also prevents third-party entities from doing reviews on behalf of governments adding that there had been no evidence of security issues related to the reviews before the policy change. In early 2016, McAfee’s competitor Symantec adopted a similar global policy of refusing to comply with government-mandated source code reviews required to win entry to a market.
While McAfee’s actions may suggest that the security firm feels it has nothing to prove, other security firms are opting to take a different route to prove the integrity of their code. Kaspersky Labs recently announced a transparency initiative to share code updates to help build trust.
“As one security vendor opens its code up for scrutiny, so another battens down its hatches,” Comparitech Security Researcher Lee Munson said. “Unlike Kaspersky, however, McAfee is not in the middle of a political storm surrounding its alleged association with a foreign government or the prospect of subterfuge on behalf of the FSB.”
Munson agreed with McAfee’s decision to lock down their code while acknowledging the alternative does offer the advantages of having extra eyeballs on the code looking for errors and weaknesses. Ultimately he said the dangers of allowing hackers to learn the inner workings of security software should not be underestimated. Munson said he believes McAfee’s decision will be mirrored by other firms.
Some researchers believe the benefits of code review outweigh the negatives so much so that all security code should be open source and available to the scrutiny of anyone
“In a world of one trillion connected devices all security software should be open source, available for scrutiny to anyone,” prpl Foundation Chief Security Strategist Cesare Garlati said. “There is consensus in the security community that the so called ‘security through obscurity’ never worked – just look at Windows Microsoft or Adobe Flash if you need proof.”
Garlati said that while there is an obligation to protect intellectual property, it should be addressed from a legal perspective through appropriate licensing schemes.