In 2020, a Trojan Horse infiltrated a commercial software application developed by SolarWinds, resulting in a high profile security breach. 2 years on, SolarWinds has established a Secure By Design plan in delivering their next generation of products (SolarWinds Next-Generation Build System).
The Secure By Design software development principles are built around 4 tenets:
- Base the system on ephemeral operations
- Ensure build products can be produced deterministically
- Build in parallel
- Record every build step
Inverting old notions of administrative access, this design plan advocates for offering just-in-time permissions, privileges are granted on a least privileged access basis. SolarWinds is also working towards producing environmentally specific configuration and hardening guides, moving away from product specific guides which are standard offerings in the industry.
CIO World Asia spoke with two Solarwinds personnel, Tim Brown, Vice President of Security and Aravind Kurapati, Senior Director of Sales, Asia to find out more about the transformational model for software development.
What’s the market response to SolarWinds Next-Generation Build System?
The response from the market has been very positive. The SolarWinds Next-Gen Build System is a unique model built to improve flexibility, increase resilience, and further elevate security.
How is SolarWinds changing up the industry norms of software development lifecycle?
SolarWinds is not only innovating our designs, but we’re sharing through open-source initiatives, presenting at conferences, and partnering with individual customers.
How does taking an outside-in perspective help software developers to anticipate attackers’ moves?
It’s essential to consider your adversaries and their approach. When we look at the build system, our model separates duties, where the administrator of one build pipeline does not have access to another pipeline. In this model, you would need collusion between multiple people to maliciously affect the builds. This is an example of an assumed breach approach.
Tell us about using red team and table top exercises in technical runs to test a software’s attack-resilience.
Table top exercises and red team testing allow us to simulate an adversary’s actions within our environment and test our controls. Our red team plays the role of an adversary attempting to attack our infrastructure or specific components. We not only test the resilience of the component, we also test our SOC and detection teams with these efforts.
These exercises helps with figuring out what processes you want to handle in house and what you think is appropriate to handle outside. From there that will help you figure out what kinds of parameters you have for who those outside vendors can be.
Please share more on how SolarWinds is making configuration and hardening guides environmentally specific.
The SolarWinds secure configuration guides highlight best practices that can be utilized with all software, and include practices such as proper firewall configurations, proper models for identity and access management, proper logging and configuration management.
To fully embrace SolarWinds’ Secure By Design principles, a switch in users’ mindset is imperative. Armed with cybersecurity solutions, expecting to make impossible all future attacks, is a notion to set aside. Working towards raising the difficulty of breaches, and raising the capability to monitor, detect and respond in a timely fashion, is the new perspective to set in place.