
Well, they could publish their code
But then someone might actually find vulnerabilities that need patching.
In the wake of the Juniper firewall backdoor scandal, Cisco is reviewing its source code to make sure there are no similar nasty surprises lurking within. "Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive …
"These include, but are not limited to undisclosed device access methods or 'backdoors', hardcoded or undocumented account credentials, covert communication channels, or undocumented traffic diversion."
So, as long as it's a documented backdoor, covert communication channel or traffic diversion process it's ok?
So it could be a secret document, not available to customers, not even to their staff generally but restricted to a few key senior management and developers, and that's ok?
What about "PUBLICALLY (or at least customer) documented ....."
That was my take on the mealy mouthed blurb - if the NSA/Cisco is an authorised backdoor it's fine.
Also, I've clients with 827 ADSL routers on 10 year old firmware. There must have been at least a dozen firmware upgrades available when it was available to buy. Are Cisco going to check all obsolete firmware code?
hiring penetration testers
How is it possible Cisco don't have a permanent red team anyway? If I ran a tech business the size of Cisco with their budget it'd be day one job: put together a red team that operates completely independently of the rest of the org that reports outside the normal chain of command, sees the source but can't modify it.