Code Review Isn't Evil. Security Through Obscurity Is.
On January 25th, Reuters reported that software companies like McAfee, SAP, and Symantec allow Russian authorities to review their source code, and that "this practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies." The article goes on to explain what source code review looks like and which companies allow source code reviews, and reiterates that "allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses."
The spin of this article implies that requesting code reviews is malicious behavior. This is simply not the case. Reviewing source code is an extremely common practice conducted by regular companies as well as software and security professionals to ensure certain safety guarantees of the software being installed. The article also notes that “Reuters has not found any instances where a source code review played a role in a cyberattack.” At EFF, we routinely conduct code reviews of any software that we elect to use.
Just to be clear, we don’t want to downplay foreign threats to U.S. cybersecurity, or encourage the exploitation of security vulnerabilities— on the contrary, we want to promote open-source and code review practices as stronger security measures. EFF strongly advocates for the use and spread of free and open-source software for this reason.
Not only are software companies disallowing foreign governments from conducting source code reviews, trade agreements are now being used to prohibit countries from requiring the review of the source code of imported products. The first such prohibition in a completed trade agreement will be in the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP, formerly just the TPP), which is due to be signed in March this year. A similar provision is proposed for inclusion in the modernized North American Free Trade Agreement (NAFTA), and in Europe’s upcoming bilateral trade agreements. EFF has expressed our concern that such prohibitions on mandatory source code review could stand in the way of legitimate measures to ensure the safety and quality of software such as VPN and secure messaging apps, and devices such as routers and IP cameras.
The implicit assumption that "keeping our code secret makes us safer" is extremely dangerous. Security researchers and experts have made it explicit time and time again that relying solely on security through obscurity simply does not work. Even worse, it gives engineers a false sense of safety, and can encourage further bad security practices.
Even in times of political tension and uncertainty, we should keep our wits about us. Allowing code review is not a direct affront to national security— in fact, we desperately need more of it.