Thursday, March 28, 2019

UK raises software engineering concerns in security evaluation of Huawei

The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board published a 46-page report in which it discusses significant technical issues "in Huawei’s engineering processes, leading to new risks in the UK telecommunications networks." The report also states that although Huawei continues to engage in the security review process, "no material progress has been made by Huawei in the remediation of the issues reported last year."


HCSEC, whose mission is to evaluate the security risks posed by using Huawei’s equipment in critical national infrastructure, is a facility in Banbury, Oxfordshire, belonging to Huawei Technologies and administered by the UK’s National Cyber Security Centre.

Regarding the software engineering issues with potential impact on network security, the report states that the issue "is with Huawei’s underlying build process which provides no end-to-end integrity, no good configuration management, no lifecycle management of software components across versions, use of deprecated and out of support tool chains (some of which are non-deterministic) and poor hygiene in the build environments."

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf