January 21st, 2021
The SolarWinds Breach and Securing the SDLC
The recent security breach for clients of SolarWinds impacted many of their clients. While it was discovered in December 2020, the attack started in September 2019 and the infected software from SolarWinds deployed in February 2020.
Crowdstrike has provided a technical analysis for how this happened: CrowdStrike SunSpot Malware Analysis
As many firms review their software development process to prevent a similar situation from occurring that damages their reputation, distracts employees and has multiple negative financial consequences – here are our thoughts and suggestions.
This was an elaborate attack with multiple points of failure, which speaks to a larger problem that most organizations face – the software delivery lifecycle is already complex and time-consuming, and security compliance becomes an extra step that is easily ignored. Policies may be in place, but quickly jettisoned when delivery speed is negatively impacted. For example, even if multi-vector security scan analysis is available there may not be time available to properly review results prior to shipping a release.
It’s a safe assumption that the potential for a security breach will continue to rise – there was a 50% increase in open-source vulnerabilities reported from 2018-2019 (2020 Open Source Vulnerability Report by WhiteSource) – what will 2021 show?
Open-source is a great example to explore, as many times the teams who deliver new products/features also have the responsibility to patch, maintain and secure the many open-source tools in their toolchain(s). The Common Vulnerabilities and Exposures site provides quick details (just type in the name of an open-source tool) of known issues. Does your organization have a governance policy that curbs risk from these vulnerabilities? And is the process around this policy easy – or easily bypassed?
We believe fully leveraging security solutions is the right thing to do, but only part of the answer – adding another step to an already complex toolchain is similar to installing a dash-cam on a 1988 Toyota Camry. Yes you’ll have video of what happened, but no air-bags and you’ll never get that ’88 Camry to self-drive.
Making security changes can take months (or years) and slow down the frequency of new releases – negatively impacting the business, frustrating developers and product owners alike. We encourage you to consider putting Guide-Rails® around your SDLC, to quickly make overall security improvements, maintain (or even improve) delivery speed and realize a cost savings.
About Guide-Rails®: our solution was designed to simplify the entire SDLC – removing complexity, automating compliance, and providing data/metrics to scale Agile practices. Some of the related areas we address include:
– Policy as Code
– Secrets management
– Integration of DB, application, infrastructure and open-source software scanning solutions
– Automated pipelines
– Ephemeral environment creation for test/dev – replace expensive dedicated servers
– Much more…
The end result – deliver fast value to your customers through secure software development.
Learn more about the Guide-Rails® Platform