Enable breadcrumbs token at /includes/pageheader.html.twig

Using Security by Design to Protect Supply Chains

SolarWinds changed how it approaches internal security to better protect its customers.

SolarWinds is using a security by design methodology to strengthen its security and to help protect the software industry’s supply chain. Credit: Shutterstock

The software management firm SolarWinds is revising how it approaches security to develop better products and to help its customers and protect the supply chain they all rely on.

Cyber attacks on supply chains are a growing threat, something SolarWinds experienced in 2020 when Russian government-backed hackers breached the servers for one of the company’s software products and compromised the security of hundreds of customers including several dozen federal agencies.

Under its new CEO Sudhakar Ramakrishna, the company is changing how it operates internally and with its customers by adopting a security by design approach to its operations.

Ramakrishna shared how this is being done in a SIGNAL Media Executive Video interview with George Seffers, SIGNAL Magazine’s executive editor.

To change its security posture, the company focused on three categories: improving its security structure; how build systems are accessed; and including security by design in all its software products.

The first step is improving or increasing the security posture of an organization’s internal infrastructure. This includes steps such as using better threat detection software. He notes that SolarWinds created internal red teams to run simulated attacks to test its defenses.

Category two centers on build systems, access to build systems and the consistency of those systems. The goal here is to ensure that only the right personnel with the right profiles have access.

“Think of it as rule-based access control for build systems,” Ramakrishna says.

The third and final aspect relates to how SolarWinds builds its software. Ramakrishna says the company adopted a parallel build systems process to improve the integrity of the code it delivers and also to reduce the overall threat surface to potential attacks.

“Even if an attacker were to attack our processes and build systems, they would have to go through a lot of hoops to cause any damage,” Ramakrishna explains.

These are all parts of a security mentality that extends beyond SolarWinds. Ramakrishna believes that security, especially supply chain security, must be a “community vigil” function. This is because a nation state attacker has the resources to overwhelm even the largest, most capable companies.

This is key because supply chain attacks “are more common than people will accept,” he says.

“What is important it to recognize that we are in a community and that we have to be transparent within it in terms of what we find,” he says, adding that this means sharing information about vulnerabilities.