X

SAP, McAfee, Symantec reportedly let Russia review their code

The security software makers let Russia search for flaws in their products, according to Reuters. That's a concern for US agencies that use the software.

Roger Cheng Former Executive Editor / Head of News
Roger Cheng (he/him/his) was the executive editor in charge of CNET News, managing everything from daily breaking news to in-depth investigative packages. Prior to this, he was on the telecommunications beat and wrote for Dow Jones Newswires and The Wall Street Journal for nearly a decade and got his start writing and laying out pages at a local paper in Southern California. He's a devoted Trojan alum and thinks sleep is the perfect -- if unattainable -- hobby for a parent.
Expertise Mobile, 5G, Big Tech, Social Media Credentials
  • SABEW Best in Business 2011 Award for Breaking News Coverage, Eddie Award in 2020 for 5G coverage, runner-up National Arts & Entertainment Journalism Award for culture analysis.
See full bio
Roger Cheng
2 min read
security-privacy-hackers-locks-key-6724
James Martin/CNET

Russia was allowed to dig for vulnerabilities in software used by the US government, according to Reuters. 

SAP, Symantec and McAfee, which all sell business and security software to clients around the world, gave Russian authorities the go-ahead to review their code, Reuters reported Thursday. That's a concern because US government agencies also use the software, US lawmakers and security experts told Reuters, and Russian knowledge of any vulnerabilities presents a security risk.

In order for the companies to operate in Russia, they had to allow local authorities to look at the code, Reuters said. The news service didn't find any instances where knowledge of the source code played a role in a cyberattack. 

The revelation comes amid concerns about Russia's potential influence over the 2016 US presidential election and the overall worry that we're all vulnerable to cyberattacks. 

Symantec, however, denied that any Russian agency or entity looked at its source code, and noted that the company has revised and updated the software numerous times since  the government review.

"We have no reason to believe that prior reviews impacted the security of our products," the company said in an e-mailed statement. 

SAP says it provides "clean rooms" where government customers can test the code, but can't bring recording devices. 

"Certain SAP governmental customers use security reviews as part of their effort to protect their data and environments by testing for software security flaws," the company said. "To enable such customers to conduct reviews, SAP maintains a Government Security Program, which allows testing SAP solutions against specific government requirements and handles national law enforcement authorities.  

McAfee wasn't available for comment. 

Updated at 2:01 p.m. PT: To include comments from SAP and Symantec.