Presented by SolarWinds
Defending an enterprise stack against intruders has never been a bigger challenge than it is in 2023. Simultaneously, software has never been more important or essential. Increased innovation, more ambitious service architectures, and increased use of automation and embedded intelligence mean our code stacks shoulder more responsibility than ever.
The threats are also more sophisticated. The tools are smarter and the means for attack are more insidious. Disgruntled insiders or malicious parties can easily disrupt and even destroy. It’s not unusual for some software service to become tangled in geopolitical power struggles between nation-states or their proxies.
Organizations across industries are meeting this challenge by rethinking their strategies and creating a stronger, more trustworthy path for their software development. They’re tightening up each stage by removing pathways that can open up a vector for attack. The goal is to reevaluate each step and search for vulnerabilities and places where an attacker may try to gain entry or insert malicious code.
This work is critical, as attackers are becoming better at finding weaknesses in places no one anticipated or protected — and this affects everyone in IT. To help combat these threats, companies are also leveraging their own experiences, using “teachable moments” to improve the security posture of their own organizations as well as that of their peers.
“We initially suspected supply chain issues during our first day after the incident,” explained Tim Brown, chief information security officer and VP, security of SolarWinds, speaking of the SUNBURST cyberattack reported two years ago. “Our source code wasn’t affected. Our source control system wasn’t affected. But somewhere in the middle of our build process, malicious code got inserted, and we shipped signed products in that timeframe.”
Before SUNBURST happened, no one expected outsiders would find a way to replace libraries in a build pipeline. Now the team has leveraged the learnings from this unprecedented attack to set a new standard for secure software development.
Building in security from the beginning
Many teams are approaching today’s evolving threats by being more careful about assuming any user or data connection is safe; a philosophy sometimes called “zero trust.”
Others are going further. SolarWinds, for instance, calls its new approach “Secure by Design,” and prioritizes deliberate design decisions by developers and DevOps team members at each stage to bolster security.
With this approach, SolarWinds is strengthening its build pipeline by adding more controls, designed to ensure the release of secure software. This is known as the company’s “Next-Generation Build System,” which consists of the following guiding design principles.
- Everything is built from scratch. Software components are ephemeral because nothing is cached or reused.
- The build process is deterministic. In other words, the result should always be the same. This can be easier in some languages like Java or C#, but the goal is to have a way to understand exactly how the code is turned into a finished product.
- The development, staging and production environments are completely independent of each other. No code artifacts move from one to another. Each rebuilds their code from scratch and tests it independently.
- Code reviews and architectural design reviews occur separately between each stage.
- The staging and production teams are separate. No resource is shared between teams. This prevents one person from potentially subverting both stages at the same time.
- All builds and commits are recorded in an immutable log. This allows auditors to go back and unpack the process to understand any mistakes or abnormalities.
The rules establish a trustworthy build path between the minds of the developers and the binaries running in deployment. Recompiling everything from the original source code checked out from the code repository is designed to ensure nothing can creep in through a different path.
“The reason why the threat actor didn’t attack the source control systems is they knew that they would get caught there,“ explained Brown.
The chain of control and the cryptographic assurances in the SolarWinds check-in process is designed to prevent surreptitious changes. Now the company is strengthening this assurance by making sure all binaries come directly from the repository. Approaches like this are becoming more common throughout the software world and the industries with the most physical vulnerabilities are taking the lead. Some industries, like energy or defense, are starting to ask for better assurances about the quality of their software. Some are even asking for a software bill of materials (SBOM) to enumerate exactly which libraries and packages are part of a product.
The new level of awareness will be felt by proprietary and open-source teams, but the open-source teams may need to work a bit harder to adjust to the new level of scrutiny. In the past, the teams freely shared code and often the binaries, easily building upon the work of others. Now they have to be more careful. Hidden vulnerabilities like the Log4J hole uncovered in 2021 revealed too much openness could be dangerous if it undermines scrutiny and accountability.
The good news is open-source projects also distribute their source code. Teams can download it and include it in their build pipelines. While this can increase build times and slow development, it creates stronger accountability.
“I think we’re going to end up putting pressure on the open-source community to be able to really support those practices that are going to be expected in the commercial side,” said Brown. “If you’re going to include, say, XYZ library, then you’re going to need to explain: What does this have access to? What is it doing? So, I think the expectations of open source will need to rise in order to be included in the commercial side.”
New standards and file formats for reporting and sharing this information are evolving. Microsoft, for example, open-sourced their SBOM creation tool this year. Other notable tools include Tern, FOSSA and Anchore.
Many companies — SolarWinds included — are also making the process more adversarial. Companies are designating special red teams and granting them the time and resources to break the current system. They’re also explicitly adding them to the development pipeline, both to provide manual security code reviews and also maintain automated security code checkers.
The goal is to eliminate surprises through better build techniques and the embedding of the awareness of security during design. Better preparation and rigorous processes pay off by making it easier to sleep.
“Hopefully this Christmas, we won’t have another Log4J like last year,” said Brown. “That put the world on fire at the worst time.”
To learn more about how SolarWinds can help make your company Secure by Design, visit solarwinds.com/secure-by-design-resources
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact firstname.lastname@example.org.