"It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching"
If the use a Subversion/Git code repo to maintain their codebase, they should be able to track down who wrote the code and when.
Not if the version control system itself was compromised, any audit trail could itself have been tampered with to hide traces of who really made the change.
Or if by "unauthorised" they mean "via unauthorised use of an authorised account" - i.e. one of their dev team had their account hacked.
Even when could be difficult to be confident about, never mind who, especially if the even happened quite some time ago so the amount of other information available for forensic analysis my be minimal (network logs have probably been archived off, maybe to /dev/null, by now).
You could have them do it, but it's just going deeper down the rabbit hole. The eventual question is "who/what do you trust?" - maybe it was the git server that got pwned?
A PGP-signed commit with a key generated on a smartcard (and never exposed) is a little better, but ... Someone pwned RSA before, and I'd be surprised if Gemalto and Yubico (just two examples) don't have some Three-Letter-Agency backdoor (and .. I'm sure those TLAs have equipment that can read modern smartcards).
If the use a Subversion/Git code repo to maintain their codebase, they should be able to track down who wrote the code and when.