Building Better Software Supply Chain Security by Being Secure by Design

The exponential growth of applications and digital commerce has met with unprecedented security breaches across software supply chains. At SolarWinds Day: Secure by Design, I closed a panel led by SolarWinds VP of Government Affairs Chip Daniels and in conjunction with a bipartisan panel of government leaders including Congressman Darrell Issa (R-CA), Congressman Raja Krishnamoorthi (D-IL), CISA Executive Assistant Director for Cybersecurity Eric Goldstein, in addition to our very own President and CEO Sudhakar Ramakrishna. Part of the conversation between these experts touched on software supply chain security and the severity of the threat currently present. With this panel discussion still fresh in my mind, I wanted to continue the conversation around software supply chain security, including providing more insight into what we’re doing at SolarWinds to support our software supply chain security and improve security efforts for our customers.

Understanding software supply chain security

The software supply chain is anything and everything touching an application or playing a role in its development throughout the entire software development life cycle (SDLC). Securing the components, activities, and practices involved in the creation and deployment of software is software supply chain security. Securing these components requires uncovering, understanding, and acting on perceived vulnerabilities and security risks across your ecosystem. One way to support a more secure supply chain is by building a robust security strategy for software development when using third-party software or open-source solutions. We’ll talk about what this means for SolarWinds in a bit. First, I want to explain why understanding potential security issues and risks within your development environment, software components, and sensitive data is critical to ensuring you have sufficient software supply chain security practices as part of your security posture. For more information about how software supply chains are often highly vulnerable to cyberattacks and how organizations can take action to secure their supply chains in this whitepaper created in partnership with DevOps and DevSecOps researchers from IDC, “The Need for Leading Edge Software Supply Chain Security.”

Why is software supply chain security important?

The software supply chain is complex and layered—from the the codebase to how it’s built, its functionality, and the workflows involved. For example, the pandemic undoubtedly accelerated the growth of digital transformation and the rising use of open-source components, containers, and APIs. However, with the new and expanded use of these types of technology also comes an increased risk of creating vulnerabilities. Today, some of the primary attack vectors for supply chains include:

• Infrastructure as code (IaC)
• Leaked secrets or information
• Continuous integration/continuous delivery (CI/CD) pipeline complexity
• Overprovisioning
• Open-source software or third-party components

And one of the most common areas of vulnerability can also be one of the most critical in an environment—our networks. I often refer to a network and its many elements like a pomegranate with its many seeds. The seeds within a pomegranate are like the hundreds or thousands of applications and platforms within a network. From a security standpoint, the seeds in a pomegranate help portray the endless number of how many opportunities for potential security issues in a network. As a result, you can only be as secure as the least secure element. Any gap provides space for an adversary to potentially enter or import malicious code or malware. To remain as secure as possible, you must know where the vulnerabilities lie within each link of the chain—software and apps, developer tools, permissions, repositories, source code, open-source software, CD pipelines, and more. An unknown vulnerability in any of these and others not listed can cause a software supply chain security risk. Our SolarWinds^® Hybrid Cloud Observability and cloud-native SolarWinds Observability solutions can help mitigate cybersecurity threats through expanded visibility. By providing end-to-end oversight of service delivery and component dependencies, observability can enable departments across an organization, from IT to development teams, to see vulnerabilities more clearly. Additionally, leveraging integrated automation through AIOps can further support security efforts by limiting the opportunity for human error. Similar to the pomegranate analogy I used to illustrate the vast amount of network security risks, observability enables us to see all the seeds at any time to monitor them so we can address weaknesses and mitigate cybersecurity risks. The future of software supply chain security is far more promising with observability solutions providing a comprehensive approach to risk identification and remediation.

SolarWinds software supply chain security

We benefit from our nearly 25 years of experience developing IT solutions. We understand the challenges organizations face—including cybersecurity issues—because we also face them and find ways to solve them. My teams and I have spent many, many hours thinking about the security challenges facing organizations today and how we can ensure our products and solutions are as secure as possible. To help answer these questions, we devised our security initiative: Secure by Design.

Secure by Design, our guiding principle

Secure by Design is our guiding principle for approaching security and cyber resiliency at SolarWinds. Through Secure by Design, we’re creating a more secure environment and build system centered around transparency and maximum visibility. At the basis of Secure by Design is our work addressing risk management, security best practices, and how we mitigate security risks and vulnerabilities to become as secure as possible. To achieve our end-goal, our Secure by Design initiative led our work with the following:

• Developing a resilient build environment, called our Next-Generation Build System, to further mitigate the risk associated with the build and software development supply chain
• Building out a community approach to support cyber resiliency
• Improving overall security through transparency
• Creating a security team to conduct frequent red- and purple-teaming and auditing in the middle of builds
• Increasing efforts to gain more visibility into systems and processes
• Going beyond zero trust with an “assume breach” mindset
• Designing our environments, software build processes, and ongoing life cycle management to adhere to a multi-layer security framework

Designing the Next-Generation Build System to amplify security

As we continue to develop our Next-Generation Build System, we’re working and exchanging ideas with cybersecurity experts, open-source thought leaders, customers, engineers, and developers—all with the goal of setting a new standard in secure software development. Early in our design efforts, we crystallized what we call the Golden Rule of our Next-Generation Build System: “Developers shall have fine-grained control over the things they build but have zero control over how those things are validated and secured.” This is critical to further securing our environment from disruptions caused by external and internal threats and vulnerabilities. We needed to ensure adequate security management to protect against this worst-case scenario and an outside attack. To be successful, the Next-Generation Build System we aligned on four key tenets to support the Secure by Design software development principles and help ensure adequate security measures, bolster resiliency against future attacks, and provide a great developer experience. These tenets are as follows:

1. Base the system on ephemeral operations, leaving no long-lived environments available for attackers to compromise. Instead, we designed a system to spin up resources on-demand and destroy them when they complete the discrete task to which they’ve been assigned, thereby removing the opportunity for attackers to establish a “home base” in our systems and making it even harder for threat actors and cybercriminals to attempt an attack.
2. Ensure build products can be produced deterministically for a given set of inputs so building an artifact more than once will produce identical outputs. These outputs will be compared in the next step.
3. Build in parallel, producing multiple, secure product builds to establish a basis for integrity checks. We refer to the products of such a system as consensus-attested builds.
4. Record every build step, creating an immutable record of proof and providing complete traceability. We also have a full-time red team to conduct simulated security breaches to help ensure our builds can withstand software supply chain attacks.

Supporting your software supply chain security

As solution and service providers, we focus on our customers, asking ourselves how we can provide the best and most secure solutions possible. We want to be exemplary, which is why we’re integrating our Secure by Design principles and our Next-Generation Build System with the goal of setting a new standard in secure software development. In doing so, we’ve improved our own supply chain security risk management and can support our customers as they work to mitigate their own software supply chain security risks. To learn more about software supply chain security and the importance of public-private partnerships between organizations and government agencies, check out our SolarWinds Day: Secure by Design recording. For additional information about what SolarWinds is doing to mitigate supply chain threats and our work developing the Next-Generation Build System to meet or exceed the guidance for secure software development from the National Institute of Standards and Technology (NIST) as directed by Executive Order 14028, check out our Secure by Design resources.