SolarWinds unveiled on Wednesday details of its new software development process designed to avert a repeat of the infamous Sunburst supply-chain cyberattack that the US government has attributed to Russian intelligence hackers.
SolarWinds, a developer of IT management software, became a household name last year after it was revealed hackers had accessed the company’s Orion software during the build stage and placed malware into software updates it issued.
The sophisticated hack compromised a number of federal agencies and big tech companies – and revealed that software supply chains were dangerously vulnerable to hacks.
After revelations of the Sunburst attack, SolarWinds has focused more on security and implemented its own ‘Secure by Design’ initiative aimed at making the company a model for enterprise software security.
On Wednesday, SolarWinds unveiled its so-called “Next-Generation Build System,” which it described as a “transformational model for software development.”
“It’s a major step forward and one other [software vendors] can learn from,” Tim Brown, chief information security officer of SolarWinds, said of the new build process.
In an interview with CRN, Brown noted that SolarWinds is releasing components of the new build system as open-source software, enabling other organizations to benefit from the company’s work and hopefully raising supply-chain security standards in general.
Brown said his firm’s new development process is basically a series of “checks and balances” designed to thwart potential hackers if they try to corrupt software in the build stage.
Asked if the new security measures would have prevented the original Sunburst attack if they had been in place at the time, Brown said: “They absolutely would have prevented the modifications of the build systems.”
He said it’s now “much, much more difficult” to hack into the software build process at SolarWinds.
Brown didn’t have details about how much it cost SolarWinds to develop the new software-development process. But he said it ultimately involved millions of dollars and the work of hundreds of engineers over about six months.
While it was developing new processes for software development, Brown said both channel partners and customers emphasized to SolarWinds that it needed to be very transparent about its security and software development moving forward.
“All vendors, and not just us, are under more scrutiny these days,” he said.
“Communicating transparently and collaborating within the industry is the only way to effectively protect our shared cyber infrastructure from evolving threats,” Sudhakar Ramakrishna, CEO of SolarWinds, said in a press release.
“Our Secure by Design initiative is intended to set a new standard in software supply chain security via innovations in build systems and build processes. We believe our customers, peers, and the broader industry can also benefit from our practices.”
Ramakrishna took the helm of SolarWinds in January 2021, just weeks after the initial disclosures of the supply-chain hack against the company.
In its release on Wednesday, SolarWinds said there were four key tenets that it followed in developing its new build process
Among those tenets was so-called “dynamic operations,” or making sure software-build environments automatically “self-destruct,” rather than just “sitting there waiting to be attacked,” said Brown.
Another tenet was “simultaneous build process,” which includes limiting employee access to various product tests so that no one person can access all tests.
And SolarWinds also committed itself to “detailed records” that track “every software build step for complete traceability and permanent proof of record,” the company said.