At SolarWinds, we believe security should be a core competency of all organizations.
The December 2020 SUNBURST cyberattack
on the SolarWinds software build environment emphasized a concerning new reality for the software industry and illuminated the increasingly sophisticated threats made by outside nation-states to the supply chains and infrastructure on which we all rely.
SolarWinds and the software industry have evolved dramatically since SUNBURST. We have established our Secure by Design commitments and principles
around people, infrastructure, and software development. Our team has actively engaged
with cybersecurity experts, open-source thought leaders, and customers to raise security awareness. We’ve also been working with engineers and developers, as proactive members of the open-source community, to develop several pieces of original software to further advance the security standards for all those we serve. At SolarWinds, our mission is to build the most powerful, affordable, and secure IT operations management solutions.
In keeping with this mission, we aim to set a new standard in secure software development with our next-generation build system, which incorporates lessons learned from our peers and is composed of four central tenets:
- Base the system on ephemeral operations – We’ve designed a system that leaves no long-lived environments available for attackers to compromise. Through a process that spins up resources on-demand and destroys them when they complete each discrete task, we remove the opportunity for attackers to establish a “home base” in our systems—making it even harder for threat actors to attempt an attack.
- Produce deterministic artifacts – Emerging standards recommend deterministic reproducibility checks on software products to ensure security. To further these standards, we’ve changed our compilation processes across our entire product suite.
- Build in parallel – Our next-generation build service utilizes three logical environments—standard, validation, and security. In our standard environment, we record, cryptographically sign, and store every build step in an immutable ledger database. All build jobs are then handed to our validation environment, which is designed with zero ingress or egress to the internet and is available only to limited DevOps personnel. Our security environment acts as third layer, performing a variety of scans and security checks to validate the product before release.
- Verify every build step – Cryptographically signed statements of fact are produced for each task executed in the pipelines. These receipts are stored in an immutable database, to be verified before any of our software is released.
SolarWinds and the software industry have realized dramatic security improvements since December 2020. It is our hope our shared learnings and advancements can help make every software vendor stronger and more secure. For further details on our next-generation build process refer to our technical whitepaper, Setting the New Standard in Secure Software Development: The SolarWinds Next-Generation Build System