Kaspersky Lab plans audit to show its source code is free of Russian spying

Pavel Golovkin/Associated Press/File 2017

Eugene Kaspersky, the chief executive of Kaspersky Lab, looked trough a window decorated with programming code symbols at his company’s headquarters in Moscow.

By Globe Staff 

To refute claims that its popular computer security programs are being used for espionage, the Russian software maker Kaspersky Lab has agreed to the digital equivalent of a strip-search.

On Monday, the company, which has its US headquarters in Woburn, said it will share its raw source code with an independent software testing organization. Kaspersky hopes that an audit of the code will prove its programs don’t contain “backdoors” that were allegedly used by the Russian government to steal sensitive data.


It’s a crucial defensive move for Kaspersky, whose products have been banned from US government computers by the Trump administration out of concern that the software has been compromised by Russian intelligence services.

But it’s unclear whether any amount of transparency will be enough to repair Kaspersky’s reputation in the United States or to prove conclusively that its software is truly trustworthy.

Chris Wysopal, chief technology officer and cofounder of Veracode, a Burlington company that runs security audits of software code, praised Kaspersky’s proposal, calling it “something all vendors should be providing to their customers.’’

But such an audit may not be enough. Security software has access to all customer files, and frequently exchanges data with Kaspersky. With so much data changing hands, Wysopal said, there is no guarantee that Kaspersky — or any other cybersecurity firm — could not find other ways to improperly obtain customer data.

“Given the subtlety of backdoors and covert channels, you still have to trust that the vendor isn’t going to these lengths to compromise customer data, or they aren’t being used as a tool of a government to do the same,” he said.


Kaspersky says its software is used by 270,000 companies and organizations and 400 million individuals worldwide. The market research firm IDC Corp., of Framingham, estimates the company’s annual US sales of software for personal computers at about $150 million.

But the company is now fending off a torrent of damning press reports. Earlier this month, The Wall Street Journal reported that the Russian government used Kaspersky software to search computer systems worldwide for secret US government documents. Even before then, a number of major retailers, including Staples, Best Buy, and Office Depot, had pulled Kaspersky software from their stores after a warning from the Department of Homeland Security.

Kaspersky has repeatedly offered to show US officials its source code. And in a blog posting Monday, Kaspersky pledged to take a series of steps aimed at restoring customer confidence. By the first quarter of 2018, it will allow “an internationally recognized authority” to review the company’s source code, the raw commands originally written by human programmers. The company didn’t identify the organization that will undertake the review.

It’s a new policy for Kaspersky, but not unprecedented. A number of major software companies, such as IBM Corp. and Microsoft Corp., provide independent audits to ease the concerns of corporate and government clients. Microsoft even offers a special audited version of its Windows 10 operating system specifically for the Chinese government.

By contrast, some companies want no part of independent audits. In a statement, Symantec Corp., of Mountain View, Calif., one of the world’s largest security software vendors, said, “we do not permit source code inspections by customers, customer-appointed agents, foreign governments, foreign bureaus, or foreign test centers.”

Earlier this month Reuters reported that Symantec had stopped allowing such audits in 2016, out of concern they would show foreign governments how to hijack computers running its security programs.


Kaspersky also promised to carry out an independent review of its internal business practices to ensure their integrity. And starting next year, it will establish three “transparency centers” in Europe, Asia, and the United States where businesses and government agencies will be permitted to inspect the company’s source code for themselves.

Also, Kaspersky jacked up its “bug bounty” program, which pays financial rewards to people who find defects in their products. The program will now offer a maximum reward of $100,000, compared to average bounties of $1,000 to $5,000 announced in August.

Hiawatha Bray can be reached at
Follow him on Twitter @GlobeTechLab.