Russian software developers do not have time to respond to discovered vulnerabilities in their products

Russian software developers do not comply with FSTEC regulations regarding the speed of response to detected vulnerabilities. This threatens to revoke certificates, which will complicate supplies to the public sector. The developers themselves attribute the situation to the growing demand for solutions and the workload of “all levels of support.” Kommersant’s sources also attribute the slowness of vendors to the fact that their software is based on open source, the elimination of vulnerabilities in which is dealt with “not by the developer, but by the community,” and a specific product must be carefully checked for the presence of malicious bookmarks before being transferred to the client.

As Kommersant was told by the Federal Service for Technical and Export Control (FSTEC), Russian software developers regularly violate the agency’s requirements for deadlines for eliminating vulnerabilities in their products. Practice, the service emphasized, shows “insufficient effectiveness of software support.” “Technical support services of Russian vendors must respond with lightning speed to customer requirements, but more and more often a situation arises when feedback on security measures is not enough,” said Deputy Head of FSTEC Vitaly Lyutikov on September 21 at the BIS Summit conference.

We are talking about compliance with the requirements of the regulations for including information about software vulnerabilities in the FSTEC Data Bank of Information Security Threats. According to it, a software vendor, if information about a potential vulnerability in its software is received, must take measures to eliminate it within 30 or 60 days, depending on the level of the threat, for example, develop a fix (patch) for the software.

The head of the board of directors of Basalt SPO, Alexey Smirnov, explains that violation of FSTEC regulations can lead to the revocation of the software’s certificate. This will actually close the vendor’s ability to supply government customers who require certified software from suppliers.

Russian software developers “work through incidents” and make changes to software twice as long as foreign ones, confirms Factory5 CEO Denis Kasimov. The situation, according to him, is associated with increased demand for domestic products and, as a result, an increase in the load on specialists at all levels of technical support.

Russian companies were not prepared for the sharp increase in requests for incident processing after the departure of Western suppliers, agrees Elena Baranova, development director at Auriga LLC. “To reduce the time to process a request, separate service teams are required, which can be too expensive for Russian developers,” she says. The head of the QA department at SimbirSoft, Marina Tarasova, adds that foreign companies had more experience in handling incidents, while Russian players “do not always have the necessary expertise and resources to handle incidents in a timely manner.”

In the spring of 2022, FSTEC revoked the certification of more than 50 foreign developers, including IBM, Microsoft, Oracle, etc. The reason for the revocation of certificates was the lack of technical support from vendors, most of whom stopped business in Russia after the outbreak of hostilities in Ukraine (see “Kommersant” ” dated March 28, 2022).

However, market participants also note an important technological reason for the slowness of Russian software suppliers. According to the head of the information security committee of the Domestic Software association, Roman Karpov, a significant share of Russian software certified by FSTEC is based on open source, the elimination of vulnerabilities in which “is dealt with not by a specific developer, but by the community.” “Because of this, some companies are having a hard time getting vulnerabilities fixed on time. Due to companies’ dependence on third-party developers, solving the problem can take several months,” he explains.

Kommersant’s source in the developer of system-wide software clarifies that another problem in refining software based on open source was the risk of malicious code being introduced into it by unscrupulous members of the community and “developers are forced to check and double-check each update before transferring it to the user.”

It is incorrect to compare Russian and foreign vendors in terms of the speed of technical support and response to possible software vulnerabilities, APKIT insists. “Import substitution is proceeding at an accelerated pace. Therefore, all the efforts of IT companies are primarily focused on the urgent development of analogues or advanced solutions. Service, training, and documentation may still lag somewhat due to natural reasons of lack of resources,” they note.

Timofey Kornev