Micro Focus Bans Source Code Reviews By ‘High Risk’ Governments

Newbury, Berkshire-based Micro Focus has said it will no longer allow reviews of its products’ source code by “high risk” governments, after Hewlett Packard Enterprise (HPE) acknowledged that it had allowed a Russian defence agency to inspect the code of a military-grade security tool now owned by the British company.

HPE said last week that, like other companies, it had allowed a third-party company called Echelon to view the source code of ArcSight, a security monitoring tool widely used in the US military, on behalf of the Russian military as a condition for selling the product in Russia.

HPE’s statement followed a report on the matter by Reuters.

‘High risk countries’

ArcSight is also used by private sector firms and was sold to Micro Focus along with other security software in a deal completed last month.

“Micro Focus will not allow any source code reviews if we reasonably believe the governments of high risk countries will have access to that review,” Micro Focus said in a statement.

HPE didn’t inform the Defense Information Systems Agency, the US military’s procurement body, before allowing Russia to carry out the inspection last year, the organisation told Reuters.

ArcSight head Jason Schmitt defended the reviews, saying that “dozens of brand-name products have undergone the same type of certification testing”, according to a statement cited by Reuters.

Political tensions

Technology firms routinely allow the governments of countries including Russia and China to carry out source code inspections in order to gain permission to sell their products in those countries.

HPE said the review in question was carried out in its own facility, with no code allowed to leave the premises.

But such reviews can be controversial due to political and trade concerns, and some firms have said they would no longer allow them. Symantec, for instance, said in 2016 it would no longer permit government code inspections due to security issues.

Political tensions between the US and Russia have escalated since last year’s US presidential elections, with effects felt by technology companies in both countries. For instance, US officials have taken steps this year to ban government bodies from using security software by Moscow-based Kaspersky Lab and have reportedly urged private firms to drop the software. Kaspersky has denied any political links or that its tools present security risks.

Intellectual property concerns

Last week the top computer security official for the current US presidential administration said source code reviews were “problematic”, but said the administration was more concerned about intellectual property theft than security risks.

“There are security aspects of those disclosures (and) they are problematic,” White House computer security coordinator Roby Joyce told an HPE-sponsored Washington Post Cybersecurity Summit.

He added that “if you give your source code to China as a condition of entering into that market, you’ve got to wonder if competitors are then going to start to adopt those features”. His comments were in response to a question about Reuters’ earlier report.

HPE said last week that it “has never and will never take actions that compromise the security of our products or the operations of our customers”.

Do you know all about security in 2017? Try our quiz!