Cisco probes self for Juniper-style backdoors, silently mouths: 'We're doing this for yooou'
No holes in our code, we promise, but we'll check anyway
In the wake of the Juniper firewall backdoor scandal, Cisco is reviewing its source code to make sure there are no similar nasty surprises lurking within.
"Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions," Cisco said in an advisory.
"These include, but are not limited to undisclosed device access methods or 'backdoors', hardcoded or undocumented account credentials, covert communication channels, or undocumented traffic diversion."
Having said that, in light of the Juniper cluster-fsck, Cisco will, we're told, conduct a thorough audit of its code to make sure no sneaky coder has been fiddling with its firmware to make its equipment less secure. This will include examining the source code, and hiring penetration testers to stage attacks and see if weaknesses can be found.
The networking giant has committed to publishing the results of the research and will let customers know if any holes have been found, once patches are available.
"Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do," the firm said.
That's true, up to a point. But there's also the fact that Cisco is keen to preserve customer confidence. Ever since the Edward Snowden leaks, Cisco has seen sales take a hit, particularly in Asia, over fears that it's a stooge for the NSA.
Those fears are still causing problems, and Juniper's woes will have further knock-on effects throughout the industry. ®