show image

Kaspersky Lab will let experts review its source code as it seeks to regain trust

Kaspersky Lab has pledged to let independent experts review its source code after the US government alleged that its software could be exploited by Russian spies.

The Moscow-based firm has announced a “Global Transparency Initiative” that will engage the security community in verifying its products and business in a bid to regain trust.

“We’ve nothing to hide,” said the firm’s CEO Eugene Kaspersky. “With these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet.”

The US government banned its agencies from using the firms’ product last month following reports that Russia had used its antivirus software to steal hacking tools from an NSA contractor’s computer.

The firm denies it assisted Russia. Kaspersky speculated in an interview earlier this month that Russian hackers may have infiltrated the company’s systems and found the NSA tools they correctly identified as malware.

“Even though we have an internal security team, and do bug bounties, we can’t give 100 per cent guarantee that there are no security issues in our products, name another security software vendor who can,” he said.

The Kremlin has also denied the claims.

Professor Alan Woodward, a cyber security researcher at Surrey University, welcomed Kaspersky Labs’ transparency drive but said it would need to be careful about who it chooses to review the code.

“There will be a political edge to it,” he told NS Tech. “If they chose a bunch of Russians who had all worked for the FSB, no one would believe them. You have to give it to someone you trust and someone everyone else trusts too.”

The software reviews will start by the first quarter of next year, Kaspersky said.

In a statement it said the initiative would include the following steps:

  1. The start of an independent review of the company’s source code by Q1 2018, with similar reviews of the company’s software updates and threat detection rules to follow.
  2. The commencement of an independent assessment of the company’s secure development lifecycle processes, and its software and supply chain risk mitigation strategies by Q1 2018.
  3. The development of additional controls to govern the company’s data processing practices in coordination with an independent party that can attest to the company’s compliance with said controls by Q1 2018.
  4. The formation of three Transparency Centers globally, with plans to establish the first one in 2018, to address any security issues together with customers, trusted partners and government stakeholders; the centers will serve as a facility for trusted partners to access reviews on the company’s code, software updates, and threat detection rules, along with other activities. The Transparency Centers will open in Asia, Europe and the U.S. by 2020.
  5. The increase of bug bounty awards up to $100,000 for the most severe vulnerabilities found under the company’s Coordinated Vulnerability Disclosure program, to further incentivize independent security researchers to supplement our vulnerability detection and mitigation efforts, by the end of 2017.