Managed service provider tools company SolarWinds has unveiled details of its new software development process designed to avert a repeat of the infamous Sunburst supply-chain cyberattack that the UInted States government attributed to hackers associated with Russian intelligence agencies.
The Austin, Texas-based Solarwinds became a household name last year after it was revealed hackers had accessed the company’s Orion software during the build stage and placed malware into software updates issued by the firm.
The sophisticated hack compromised a number of federal agencies and big tech companies, and in the process showed that software supply chains were dangerously vulnerable to hacks.
After revelations of the Sunburst attack, SolarWinds has focused more on security and implemented its own ‘Secure by Design’ initiative aimed at making the company a model for enterprise software security.
Now, SolarWinds has unveiled its so-called “Next-Generation Build System,” which it described as a “transformational model for software development.”
“It’s a major step forward and one other [software vendors] can learn from,” said Tim Brown, chief information security officer of SolarWinds.
In an interview with CRN, Brown noted that SolarWinds is releasing components of the new build system as open-source software.
This enables other organisations to benefit from the company’s work and hopefully raising supply-chain security standards in general.
SolarWinds said it followed four key tenets in developing its new build process
Among these is the so-called “dynamic operations,” or making sure software-build environments automatically “self-destruct,” rather than just “sitting there waiting to be attacked,” said Brown.
Another tenet was “simultaneous build process,” which includes limiting employee access to various product tests so that no one person can access all tests.
SolarWinds also committed itself to keeping “detailed records” that track “every software build step for complete traceability and permanent proof of record,” the company said.
Brown said his firm’s new development process is basically a series of “checks and balances” designed to thwart potential hackers if they try to corrupt software in the build stage.
Asked if the new security measures would have prevented the original Sunburst attack if they had been in place at the time, Brown said: “They absolutely would have prevented the modifications of the build systems.”
He said it’s now “much, much more difficult” to hack into the software build process at SolarWinds.
Brown didn’t have details about how much it cost SolarWinds to develop the new software-development process.
He said it ultimately involved millions of dollars and the work of hundreds of engineers over about six months.
While developing new processes for software development, Brown said both channel partners and customers emphasised to SolarWinds that it needed to be very transparent about its security and software development moving forward.
“All vendors, and not just us, are under more scrutiny these days,” he said.
“Communicating transparently and collaborating within the industry is the only way to effectively protect our shared cyber infrastructure from evolving threats,” Sudhakar Ramakrishna, chief executive of SolarWinds, said.
“Our Secure by Design initiative is intended to set a new standard in software supply chain security via innovations in build systems and build processes.
We believe our customers, peers, and the broader industry can also benefit from our practices,” Ramakrishna said.
Ramakrishna took the helm of SolarWinds in January 2021, just weeks after the initial disclosures of the supply-chain hack against the company.
