The supply chain attack that targeted SolarWinds and customers of the company’s Orion network monitoring platform, which first came to light in December 2020, has sparked much discussion about what was wrong and what lessons, particularly in cybersecurity, could be learned.
Much of this discussion focused on the security vulnerabilities of the incident, including how a nation-state attack group managed to circumvent internal corporate controls and implant a software update containing a Trojan that was delivered to Orion customers, who could then install a backdoor into their networks. — giving attackers access to an organization’s systems and services such as email.
During testimony before Congress in March, SolarWinds CEO Sudhakar Ramakrishna told lawmakers the company was still investigating “Patient Zero,” or the initial attack vector used by attackers to circumvent controls. and business security. Possibilities include a password spray attack to guess usernames and passwords, theft of employee credentials, or even third-party software used internally by SolarWinds that could have been compromised.
Beyond questions from lawmakers, Ramakrishna held a series of discussions about steps SolarWinds is taking to improve its code development process, particularly around building more security into its software development. He called the initiative “Secure by Design,” which is borrowed from a movement and approach developed by several software developers and vendors, including Microsoft.
“It is well accepted that software has bugs. It is well recognized that software can present security problems. And I think it comes down to a mindset issue, from education to how you build the software itself,” Ramakrishna said during a recent discussion about developing this state. of mind, according to a report from SDXCentral.
Part of this new perspective involves changing the way the company views software development, as well as the automatic updates that are pushed to its customers. Ramakrishna now says SolarWinds’ CISO can stop product releases, and the company will now use multiple build systems running in parallel to ensure integrity and quality control.
While SolarWinds is in the delicate position of having to prove that its software is not only reliable but secure, it is unclear whether the company’s example will cause an industry-wide mindset shift. industry, especially considering how developer teams and security managers have struggled to include security in the DevOps process.
“No one can guarantee absolute certainty of safety or security,” said Chris Morales, CISO of security firm Netenrich.
“We can see that several resilience techniques are being implemented. Especially diversity, redundancy and justified integrity,” Morales added. “These are all powerful techniques for creating complexity in an attacker’s ability to achieve their goal. This is the right direction. As long as they continue through the process of learning and adapting over time, getting better will come naturally through the process.
Define security by design
For several years, the push for digital transformation and the need to rely more heavily on the cloud has prompted security and development teams to try to integrate some type of DevSecOps program into their application development process. However, the results are slow to arrive. A 2019 report from 451 Research found that only about 9% of budgets are spent on application security.
Another study published in August 2020, conducted by Enterprise Strategy Group and sponsored by Veracode, surveyed 378 developers and security professionals about their views on DevSecOps. He found that while developers are taking steps to address security issues, these improvements are at odds with other priorities such as rapid development.
Morales cautions that organizations shouldn’t try to confuse the move to security by design with DevSecOps, as these approaches can have different meanings and require distinct mindsets. But as developers and security increasingly try to create better code, it’s worth thinking about how they work together.
“DevSecOps is part of security by design, but not in its entirety. Security by design is not a specific practice, but a broader mindset aimed at enabling cyber resilience. Cyber resilience is simply about anticipating, resisting and adapting to adversity,” Morales told Dice. “DevSecOps is about building code, but it’s not about the distribution or hosting stage of applications. Cyber resilience, however, takes a holistic approach to thinking about how to withstand and survive adversity at every stage of the business lifecycle.
While Morales supports the concepts of secure design and cyber-resilience techniques, he also believes these techniques can be incorporated into all aspects of business operations. The problem, he noted, is that this should have been obvious before the attack on SolarWinds.
“The SolarWinds breach should have made that clear not just to SolarWinds but to everyone,” Morales said.
Where to start?
Dirk Schrader, global vice president of security research at New Net Technologies, doesn’t think a secure-by-design approach would have prevented the attack that targeted SolarWinds. For example, this approach would have failed to detect and prevent a compromised build process, a core element of the company’s overall business processes.
Still, Schrader thinks the time has come for developers and their security counterparts to try to use security by design as a starting point for creating better, more secure code.
“Developers and cybersecurity professionals can help each other improve an application’s cybersecurity posture by discussing that application’s architecture, design, and how data flows through it,” Schrader said. in Dice. “The better the understanding about this on both sides, and what potential pitfalls and attack vectors exist, the better this posture will be. From a security professional’s perspective, viewing an application as a big black box won’t help secure it, it will just enforce the old fashioned fence around it.A developer’s perspective on the security aspects of code should also take into account the point of outside view.
Morales believes that organizations need to start from a policy, process and procedure perspective, which requires a change in corporate culture.
“We shouldn’t be celebrating time to market and fast coding practices above all else,” Morales said. “So many engineering teams use the excuse of focusing on delivery first. It’s okay for a doctor in a hospital to save lives. The construction product is not that. Society depends on secure coding best practices or everyone suffers the consequences.
