SolarWinds Evolves Software Development Model With Security In Mind
SolarWinds has launched the Next-Generation Build System, a new software build process and “key component” of the company’s Secure by Design initiative. The move is designed to further distance the software company from a supply chain software breach that surfaced in 2020.
The approach includes a “parallel build” process in which the development of SolarWinds software is completed through multiple duplicate paths to establish a basis for integrity checks. Additional design principles include:
- Dynamic Operations: Uses short-term software build environments that self-destruct after a task is completed.
- Systematic Build Products: Confirms that products are used to create byproducts that have identical, secure components.
- Simultaneous Build Process: Establishes data models and other software development byproducts in parallel to establish a basis for detecting unexpected modifications to these products.
- Detailed Records: Ensures every software build step is tracked and offers a permanent proof of record.
The Next-Generation Build System launch represents Phase III of SolarWinds’ Secure by Design initiative. It comes after SolarWinds introduced dual-build verification into its Orion development process and upgraded the platform’s security controls in 2021.
Software Supply Chain Security: The Wakeup Call and Response
SolarWinds announced Secure by Design in January 2021. The initiative launched after the company reported the Orion security breach in December 2020. In addition, Secure by Design comes as the U.S. Securities and Exchange Commission (SEC) reportedly has investigated whether companies hit by the Orion cyberattack failed to notify their stakeholders about the breach.
Amid that security-related drama, MSPs and MSSPs have spent considerable time studying their software stacks and associated API connections. Recent developments include the CIS Software Supply Chain Security Guide — which provides more than 100 foundational recommendations that can be applied across common technologies and platforms. The guide was developed by Aqua Security and the Center for Internet Security (CIS). Also, and open source tool called Chain Bench allows users to audit the software supply chain to ensure compliance with the new CIS guidelines.