Pavel Golovkin/Associated Press/File 2017
To refute claims that its popular computer security programs are being used for espionage, the Russian software maker Kaspersky Lab has agreed to the digital equivalent of a strip-search.
On Monday, the company, which has its US headquarters in Woburn, said it will share its raw source code with an independent software testing organization. Kaspersky hopes that an audit of the code will prove its programs don’t contain “backdoors” that were allegedly used by the Russian government to steal sensitive data.
It’s a crucial defensive move for Kaspersky, whose products have been banned from US government computers by the Trump administration out of concern that the software has been compromised by Russian intelligence services.
But it’s unclear whether any amount of transparency will be enough to repair Kaspersky’s reputation in the United States or to prove conclusively that its software is truly trustworthy.
Chris Wysopal, chief technology officer and cofounder of Veracode, a Burlington company that runs security audits of software code, praised Kaspersky’s proposal, calling it “something all vendors should be providing to their customers.’’
But such an audit may not be enough. Security software has access to all customer files, and frequently exchanges data with Kaspersky. With so much data changing hands, Wysopal said, there is no guarantee that Kaspersky — or any other cybersecurity firm — could not find other ways to improperly obtain customer data.
“Given the subtlety of backdoors and covert channels, you still have to trust that the vendor isn’t going to these lengths to compromise customer data, or they aren’t being used as a tool of a government to do the same,” he said.
Kaspersky says its software is used by 270,000 companies and organizations and 400 million individuals worldwide. The market research firm IDC Corp., of Framingham, estimates the company’s annual US sales of software for personal computers at about $150 million.
But the company is now fending off a torrent of damning press reports. Earlier this month, The Wall Street Journal reported that the Russian government used Kaspersky software to search computer systems worldwide for secret US government documents. Even before then, a number of major retailers, including Staples, Best Buy, and Office Depot, had pulled Kaspersky software from their stores after a warning from the Department of Homeland Security.
Kaspersky has repeatedly offered to show US officials its source code. And in a blog posting Monday, Kaspersky pledged to take a series of steps aimed at restoring customer confidence. By the first quarter of 2018, it will allow “an internationally recognized authority” to review the company’s source code, the raw commands originally written by human programmers. The company didn’t identify the organization that will undertake the review.
It’s a new policy for Kaspersky, but not unprecedented. A number of major software companies, such as IBM Corp. and Microsoft Corp., provide independent audits to ease the concerns of corporate and government clients. Microsoft even offers a special audited version of its Windows 10 operating system specifically for the Chinese government.
By contrast, some companies want no part of independent audits. In a statement, Symantec Corp., of Mountain View, Calif., one of the world’s largest security software vendors, said, “we do not permit source code inspections by customers, customer-appointed agents, foreign governments, foreign bureaus, or foreign test centers.”
Earlier this month Reuters reported that Symantec had stopped allowing such audits in 2016, out of concern they would show foreign governments how to hijack computers running its security programs.
Kaspersky also promised to carry out an independent review of its internal business practices to ensure their integrity. And starting next year, it will establish three “transparency centers” in Europe, Asia, and the United States where businesses and government agencies will be permitted to inspect the company’s source code for themselves.
Also, Kaspersky jacked up its “bug bounty” program, which pays financial rewards to people who find defects in their products. The program will now offer a maximum reward of $100,000, compared to average bounties of $1,000 to $5,000 announced in August.
Facebook has lost at least one user — and he’s a Silicon Valley contemporary.Continue reading »
If you were to pick two terms to describe today’s strange financial world, you could do worse than “bitcoin” and “crippling student debt.”Continue reading »
The former electrical station turned beer hall was wildly popular.Continue reading »
Cheryl Knott knows orangutans intimately and fears for their survival as their numbers have dwindled.Continue reading »
For some, the coming of legal pot sales means an opportunity to resume a long-lost lifestyle.Continue reading »
Twentysomething foodies may obsess over their food, but they are generally clueless about cookware, says Made In, a new company that targets millennials.Continue reading »
Electronic filing fees are creating a roadblock in states’ efforts to move the income tax filing system entirely online.Continue reading »
Breaking up can be hard to do. But it’s a little easier when your private equity owner has done it before.Continue reading »
Check out the 25 organizations with 1,000 or more employees that made the Globe’s list of top workplaces.Continue reading »