Kaspersky To Put Code Out To Independent Review

Kaspersky To Put Code Out To Independent Review
Image: Kaspersky CEO, Eugene Kaspersky

Eugene Kaspersky, the CEO and chairman of Kaspersky has revealed that the company will be opening their code to an independent review and they will be opening a number of “transparency centers” in order to try and mend its broken reputation. The company has been accused of either being complicit with or the victim of Russian agencies who have used their end-point security software as a way of injecting spyware onto computers.

According to a blog post, the company will make their code available to an independent reviewer early next year, they will open internal processes to independent scrutiny, open “transparency centers” so their source code and other aspects of their operation can be reviewed, and they’ll increase bug bounty payouts to encourage further review.

Although most of the changes won’t take effect till next year it’s a sign the company isn’t throwing in the towel following some damning accusations.

As I’ve said before, the company is in real trouble regardless of the outcomes of any investigation. The commercial damage it has already suffered is significant and its reputation has taken a beating.

But, I hope the company can recover. The market would be poorer if a major player, like Kaspersky, was lost.


  • Won’t this back fire in a big way? If they make the code open for review, won’t that make it easier for malware authors to mask themselves from the AV software?

      • No guarantee the built version will be the reviewed version.

        However… which is more evil: The Russians or the NSA? I think I’d trust the Americans far less.

        • Yes – that’s the concern a number of senior security execs have said to me. By the time the independent review happens, there will be a suspicion the code will be scrubbed of anything incriminating. As for the trust question – you can either “trust, but verify” or trust no-one when it comes to national security agencies.

          In that case – just because I’m paranoid it doesn’t mean they’re not out to get me!

        • You can absolutely guarantee the built version comes from the reviewed version.
          This is how most independent reviews, including the recent Truecrypt Audit was performed.

          Step 1.
          You build the reviewed code in an identical manner (same compiler and options).
          Kaspersky will need to provide documentation of their build environment so it can be replicated.

          Step 2.
          Hash the binary that results from the reviewed code.

          Step 3.
          Hash the publicly distributed pre-built version from Kaspersky.

          Step 4.
          Compare the hashes and see if they match.

Show more comments

Log in to comment on this story!