The pandemic undoubtedly accelerated the growth of digital transformation and the rising use of open source, containers, and APIs. Along with this comes an even more pressing need to focus on software supply chain security. The exponential growth of applications and digital commerce has met with unprecedented security breaches.
SolarWinds recently partnered with IDC’s Jim Mercer, Research Vice President, DevOps and DevSecOps, and Katie Norton, Senior Research Analyst, DevOps and DevSecOps, to create a Q&A for a whitepaper discussing “The Need for Leading Edge Software Supply Chain Security.”
Since applications can support critical business success, the whitepaper explores how software supply chains are often top targets for cyberattacks and how organizations can take action to secure their supply chains.
I wanted to weigh in and provide insight into what we’re doing at SolarWinds to further secure our supply chain and improve security efforts for our customers.
Why is the software supply chain important to secure?
Software has become increasingly dependent on components outside of the organization’s control. This includes platforms, open source, and commercial libraries and service providers. The software supply chain is complex and layered—and doesn’t just involve the shipped code, but how it’s built. Five of the primary attack vectors are infrastructure as code (IaC), leaked secrets or information, continuous integration/continuous delivery (CI/CD) pipeline complexity, overprovisioning, and open-source or third-party components.
The final vulnerability is critical—our networks are comprised of many applications and platforms, each one posing a security threat. I often refer to this as a pomegranate, with each element represented by a seed.
Our SolarWinds® Hybrid Cloud Observability
and SolarWinds Observability
solutions can help mitigate cyberthreats. Observability provides end-to-end oversight of service delivery and component dependencies and enables IT teams to see vulnerabilities more clearly. With the pomegranate analogy, observability enables us to see all the seeds at any time to monitor them so we can address weaknesses and mitigate cybersecurity risks. The future of software supply chains is far more positive with observability solutions enabling a comprehensive approach to security.
What are we doing to secure our software supply chain?
We benefit from our 20+ years of experience developing IT solutions. We understand the issues organizations face—including security issues—because we also face them and find ways to solve them. My teams and I have spent many, many hours thinking about the security challenges facing organizations today and how we can ensure our products are as secure as possible.
To help answer these questions, we devised our security strategy: Secure by Design
. The guiding principles of Secure by Design shape everything we do, helping us mitigate risks so we can be as secure as possible. Our Next-Generation Build System is being designed to mitigate the risk associated with the build supply chain.
Secure by Design, our guiding principles
Secure by Design is our set of guiding principles for approaching security and cyber resiliency at SolarWinds. Through Secure by Design, we’re working to create a more secure environment and build system centered around transparency and maximum visibility. The basis of Secure by Design is risk management, security best practices, and putting us in the best position for cyberthreat mitigation.
Our guiding principles include the following:
- Develop a resilient build environment, called our Next-Generation Build System
- Build out a community approach to support cyber resiliency
- Improve overall security through transparency
- Build out a security team to conduct frequent red and purple teaming and auditing in the middle of builds
- Increase efforts to gain more visibility into systems and processes
- Go beyond zero trust with an “assume breach” mindset
With Secure by Design, our environments, software build processes, and ongoing life cycle management are all designed to adhere to a multi-layer security framework.
Designing the Next-Generation Build System to further secure our supply chain
As we continue to develop our Next-Generation Build System
, we’re working and exchanging ideas with cybersecurity experts, open-source thought leaders, customers, engineers, and developers—all with the goal of setting a new standard in secure software development.
Early in our design efforts, we crystallized what we call the Golden Rule of our Next-Generation Build System: “Developers shall have fine-grained control over the things they build but have zero control over how those things are validated and secured.”
This is critical to further securing our environment from disruptions caused by external and internal threats. We needed to ensure adequate security management to protect against this worst-case scenario and an outside attack.
To be successful, the Next-Generation Build System needed to meet four tenets to support the Secure by Design software development principles and help ensure adequate security measures, bolster resiliency against future attacks, and provide a great developer experience. These tenets are as follows:
- Base the system on ephemeral operations, leaving no long-lived environments available for attackers to compromise. Instead, we designed a system to spin up resources on-demand and destroy them when they complete the discrete task to which they’ve been assigned, thereby removing the opportunity for attackers to establish a “home base” in our systems and making it even harder for threat actors and cybercriminals to attempt an attack.
- Ensure build products can be produced deterministically for a given set of inputs so building an artifact more than once will produce identical outputs. These outputs will be compared in the next step.
- Build in parallel, producing multiple, secure product builds to establish a basis for integrity checks. We refer to the products of such a system as consensus-attested builds.
- Record every build step, creating an immutable record of proof and providing complete traceability. We also have a full-time red team to conduct simulated security breaches to help ensure our builds can withstand software supply chain attacks.
My final thoughts
As solution and service providers, we focus on our customers, asking ourselves how we can provide the best and most secure solutions possible. We want to be exemplary, which is why we’re integrating our Secure by Design principles and our Next-Generation Build System into everything we do. In doing so, we’ve improved our own supply chain security risk management and can support our customers as they work to mitigate their own supply chain security risks.
To learn more about software supply chain security, read the Q&A between SolarWinds and IDC in “The Need for Leading Edge Software Supply Chain Security.”
For additional information about what SolarWinds is doing to mitigate supply chain threats, check out our Secure by Design resources