Increasingly, attacks on the software development and delivery process have resulted in malware being introduced into software builds with catastrophic consequences. In a recent example, SolarWinds Orion Software, a network monitoring tool used by many U.S. government agencies and commercial organizations, was severely compromised when attackers introduced a malicious dynamic linking library (DLL) into the software build process. The “trojanized” software created a backdoor that allowed remote attackers to gain access to systems and confidential data via devices running SolarWinds software.
As hundreds of organizations were impacted by the SolarWinds SUNBURST Backdoor Vulnerability, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) found this to be such a threat that they issued an Emergency Directive ordering federal departments and agencies to disconnect affected devices.
Beware of “Good Enough” Software Security
In the rush to rollout more frequent updates, software companies have adopted DevOps practices and tools that allow them to speed up their software supply chain. In the SolarWinds case, the company did attempt to secure their software and DevOps processes by:
- Digitally signing their code;
- Requiring the authentication of their GitHub administrators; and,
- Using secrets to protect information and access credentials.
The problem is that while they did take steps to secure their software, their security was inadequate because of the following reasons:
- Someone had stolen the credentials to sign in authentic code;
- The credentials used to log into the FTP server on GitHub were found in the code, making it easy for attackers to upload malicious software updates; and,
- Secrets and credentials were hardcoded within the code.
When Good Enough Isn’t Enough
The concept of “good enough” is predicated on the belief that the threat landscape is static in nature, and that you have been successful in enumerating all known vulnerabilities. As we all know by now, data protection is an ever evolving living entity, plus the risks are infinite in nature. At best, the concept of “good enough” captures a fleeting moment in time. As the cybersecurity world continues to grow, organizations must implement security measures that not only address what is known, but also ensure their practices are capable of addressing threats as they evolve over time.
Here is what you can do if you’re concerned about your own software development security and operations practices:
1. Have an end-to-end approach to protecting each step of the DevOps process;
2. Build security into your product from the beginning rather than bolting it on;
3. Sign your code with keys that are protected by hardware;
4. Centralize key and certificate management;
5. Store secrets in vaults that are protected by hardware-based security;
6. Assume that your best laid plans today may need to change as time goes on; and,
7. Implement systems and practices that allow for incremental improvements.
There is never a guarantee that anyone can be fully prepared for dealing with the infinite space problem the cybersecurity world faces each day. However, you can certainly lessen the impact of compromises and make it easy to implement changes as needed, if you look past security that is just good enough today.
To find out more about how to establish end-to-end trust and take control your software supply chain security, download our white paper entitled “Securing the DevOps Lifecycle with Continuous Trust.”