SolarWinds became the figurehead of attacks on software supply chains last year when a group of threat actors injected malicious code known as Sunburst into the company’s software development system. It was then distributed to thousands of government and corporate customers around the world via an upgrade to the Orion product.
SolarWinds has learned from the experience and introduced new software development practices and technology to strengthen the integrity of its building environment. It includes what SolarWinds claims is the first of its kind “parallel build” process, where software development takes place through multiple highly secure dual paths to provide a foundation for integrity checks.
“If a build system doesn’t have integrity checks to ensure that compiled binaries match the intended source code used to create them, then this approach is a definite improvement,” said Daniel Kennedy, research director for information security and networking at 451 Research. “The new system was developed using an accelerated timeline, so there is no guarantee that the system will be completely secure from the start, but it appears that the new system will also allow for faster and more dynamic actions, should new threats emerge. The new system also has greater design transparency, allowing for faster and more reliable improvement, maintenance and development.”
“AppDev’s entire CI/CD pipeline approach is not just linear, but is essentially based on a single line, so the introduction of parallel lines, perhaps where one team checks the work of the other, sounds like an approach to more secure-by-design environment,” added Rik Turner, senior chief analyst for cybersecurity at Omdia, a technology consulting firm.
New development processes may have prevented an attack
“Had the new construction been in effect as early as March 2020, the attack likely could have been prevented or dealt with more quickly,” said Shital Thekdi, an associate professor of analysis and operations at the University of Richmond.
“The new build scheme would have greatly reduced the chances of hackers being able to tamper with the build system without being noticed,” added Ken Arora, senior engineer in the CTO’s office at F5, a supplier of application security and industrial tools . “Even if the attackers had some success, the compromise would have been short-lived due to the dynamic operation strategy and self-destructive approach.”
Collaboration key to protect shared infrastructure
The new SolarWinds system is built around four ‘secure-by-design’ principles:
- Operations are dynamic and use short-term software build environments that self-destruct after completing a specific task.
- Products are built systematically so that building products can be made deterministically, so that new by-products always have identical, safe components.
- Processes include concurrent builds so that software development byproducts, such as data models, can be parallelized to provide a foundation for detecting unexpected changes to the products.
- Detailed records are maintained, ensuring every step in software building is tracked for full traceability and permanent proof of record.
Since the software build process that SolarWinds was using at the time of the Sunburst attack is widely used by the industry, the company is making some components of its new build system available to the public as open source software. SolarWinds CEO and President Sudhakar Ramakrishna said, “Transparent industry communication and collaboration is the only way to effectively protect our shared cyber infrastructure from evolving threats.”
Copyright © 2022 IDG Communications, Inc.