The supply chain attack that targeted SolarWinds and customers of the company’s Orion networking monitoring platform, which first came to light in December 2020, prompted a good deal of discussion about what went wrong and what lessons—specifically regarding cybersecurity—could be learned.
Most of that discussion focused on the security failures of the incident, including how a nation-state attack group managed to bypass the company’s internal controls and plant a Trojanized software update that was delivered to Orion customers, which could then install a backdoor within their networks—giving the attackers access to systems and services such as an organization’s email.
During testimony before Congress in March, SolarWinds CEO Sudhakar Ramakrishna told lawmakers that the company was still investigating “Patient Zero,” or the initial attack vector used by the attackers to bypass the company’s controls and security. The possibilities include a password spraying attack to guess usernames and passwords, the theft of employee credentials, or even third-party software used internally by SolarWinds that could have been compromised.
Beyond questions from lawmakers, Ramakrishna has held a series of discussions about the steps SolarWinds is taking to improve its code development process, especially around baking more security into its software development. He has called the initiative “Secure by Design,” which is borrowed from a movement and approach developed by multiple developers and software firms, notably Microsoft.
“It’s well accepted that software has bugs. It’s well accepted that software can have security challenges. And I think that goes back to a mindset issue, from education all the way to how you build the software itself,” Ramakrishna said during one recent discussion about developing this mindset, according to a report from SDXCentral.
Part of this new outlook means changing how the company thinks about developing software, as well as the automatic updates that are pushed out to its customers. Ramakrishna now says that SolarWinds’ CISO can halt product releases, and the company will now use multiple build systems running in parallel to ensure integrity and quality control.
While SolarWinds is in the tricky position of having to prove that its software is not only reliable but secure, it’s not clear if the company’s example will prompt an industry-wide change in mindset, especially given how developer teams and security leaders have struggled to include security in the DevOps process.
“No one can guarantee absolute certainty of safety or security,” said Chris Morales, CISO at security firm Netenrich.
“We can see that several resilience techniques are being implemented. In particular diversity, redundancy and substantiated integrity,” Morales added. “These are all strong techniques in creating complexity to an attacker’s ability to achieve their objective. That is the right direction. As long as they continue through the process of learning and adapting over time, doing better will occur naturally through process.”
Defining Secure By Design
For several years, the push for digital transformation and the need to rely more on the cloud have promoted security and development teams to try and incorporate some type of DevSecOps program into their application development process. Results, however, have been slow to arrive. A 2019 report by 451 Research found that only about 9 percent of budgets are dedicated to application security.
Another study released in August 2020, conducted by Enterprise Strategy Group and sponsored by Veracode, asked 378 developers and security professionals about their view of DevSecOps. It found that, while developers are taking steps to address security issues, these improvements are at odds with other priorities such as rapid development.
Morales cautions that organizations should not try to conflate the shift to secure by design with DevSecOps, since these approaches can have different meanings and require separate mindsets. But as developers and security increasingly try to build better code, it’s worth considering how they work together.
“DevSecOps is part of secure by design but not the entirety of it. Secure by design is not a specific practice but a broader mindset of enabling cyber resilience. Cyber resilience is quite simply to anticipate, withstand and adapt to adversity,” Morales told Dice. “DevSecOps addresses building code, but it does not address the distribution or hosting stage of applications. Cyber resilience, however, takes an overall approach of thinking about how to withstand and survive adversity at every stage of the business lifecycle.”
While Morales supports the concepts of secure by design techniques and cyber resilience, he also believes these techniques can be built into all aspects of the business operations. The problem, he noted, is that this should have been obvious before the attack against SolarWinds.
“The SolarWinds breach should have made that clear not just to SolarWinds but to everyone,” Morales said.
Where to Start?
Dirk Schrader, global vice president for security research at New Net Technologies, does not believe that a secure by design approach would have prevented the attack that targeted SolarWinds. For instance, this approach would not have helped to detect and prevent a compromised build process, a core element of the company’s overall business processes.
Still, Schrader believes that now is the time for developers and their security counterparts to try and use secure by design as a starting point to building better, safer code.
“Developers and cybersecurity professionals can help each other to improve the cybersecurity posture of an application by talking about the architecture, design of that application and how data flows through it,” Schrader told Dice. “The better the understanding about that is on both sides, and what potential traps and attack vectors are existing, the better this posture will get. From a security professional’s perspective, looking at an application as a large black box will not help in securing it, it will only apply the old-style fencing around it. A developer’s perspective on the security aspects of the code needs to take the outsider’s view into account, as well.”
Morales believes that organizations need to start from a policy, process and procedure point of view, and that requires changing company culture.
“We should not celebrate time to market and fast coding practices above all else,” Morales said. “So many engineering teams leverage the excuse of focusing on delivery as a priority. That is acceptable for a doctor in a hospital to save lives. Building product is not that. Society depends on better secure coding practices or everyone suffers the consequence.”