Certifications. Standards. Protection. All terms that seem to garner buzz and attention in the security industry. Last week, Reuters published an article claiming the Russian Defence Agency was provided access to ArcSight which presented a potential security vulnerability for the broader U.S. military community.
Let’s talk certifications.
Similar to when selling to the U.S. government, when selling to Russian IT companies, vendors are required to achieve FSTEC / FSTEK certification. FSTEC certification is a common practice amongst large companies who conduct business in Russia. Certifications are a standard practice in the technology industry and not limited to Russia. Many other countries require some level of security certification before sales into the national markets, including the U.S. by way of Common Criteria certification. There are over 50 Western companies that have FSTEC certified products, and according to public reports, those include major tech companies such as Cisco, IBM, Microsoft, SAP, and others. The list is a who’s who of security, networking and IT infrastructure vendors whose technology is used by the U.S. government.
It’s standard industry practice, but I understand the risks and the sensitivity of the situation given the current political climate. Nevertheless, I have been surprised by the reaction of many respected security professionals who took the allegations in the article at face value, when it is fairly easy to confirm with public information that dozens of brand-name products have undergone the same type of certification testing over many years.
We value the trust of our customers and we understand that this article may have caused some alarm. We believe in transparency and we are committed to ensuring that all of our customers and partners are informed if there was, in fact, any cause for concern. Customers and partners can rest assured, we put the security of our products and our customers at the core of what we do.
Here are the facts.
In 2015, while part of Hewlett-Packard Company (HP), ArcSight product teams, like teams within many other companies, worked with an approved third party certification vendor to perform a certification test on a specific set of products to ensure that no backdoors or vulnerabilities were present in our products. All testing was performed on HP-provisioned machines, at an HP facility in California, in an environment with an air-gapped network. The certification test took place entirely under the supervision of HP engineers and Cyber Security specialists to ensure that source code and products were in no way compromised. We are aware of no evidence that shows source code could have been copied or compromised, and no vulnerabilities were reported during or after the certification inspection.
We take the security of our products very seriously, and it’s not just as part of this process, but in the larger scope of our day-to-day business and the full commitment Micro Focus has to the security of our products and the secure operations of our customers. We build and deliver market-leading software security products that we use ourselves internally to determine that our products are free from security vulnerabilities before we ever ship them. Our company adheres to recognized security protocols and best practices across our global operations.
Customers are always at the center of what we do, so much so, that Micro Focus will not allow any source code reviews if we reasonably believe the governments of high-risk countries will have access to that review. In addition, our CEO, Chris Hsu, who began his career as a military officer and understands the importance of security and privacy, will be part of the approval process required for any source-code review going forward.
We build, sell and support software that powers and secures some of the largest enterprises and government agencies in the world. We value being a trusted and certified partner and we are committed to continuing to be your most trusted and certified partner.