SolarWinds creates new software build system in wake of Sunburst attack

SolarWinds became the poster child for attacks on software supply chains last year when a group of threat actors injected malicious code known as Sunburst into the company’s software development system. It was subsequently distributed through an upgrade to it Orion product to thousands of government and enterprise customers worldwide.

SolarWinds learned from the experience and has introduced new software development practices and technology to strengthen the integrity of its build environment. It includes what SolarWinds says is the first-of-its-kind “parallel build” process, where the software development takes place through multiple highly secure duplicate paths to establish a basis for integrity checks.

“If a build system lacks integrity checks to ensure that compiled binaries match the intended source code used to create them, then this approach is a marked improvement,” says Daniel Kennedy, research director for information security and networking at 451 Research. “The new system was developed using an accelerated timeline so there is no guarantee that the system will be fully secure at the onset, but it appears that the new system also allows for faster and more dynamic actions, if new threats emerge. The new system also has more transparency in its design, allowing for faster and more reliable improvement, maintenance, and development.”

“The whole CI/CD pipeline approach to AppDev is not only linear, but relies essentially on a single line, so the introduction of parallel lines, perhaps with one team checking the other’s work, does sound like an approach to achieve more of a secure-by-design environment,” adds Rik Turner, a senior principal analyst for cybersecurity at Omdia, a technology advisory firm.

New development processes might have prevented attack

“If the new build scheme had been in place back in March 2020, it is likely that the attack could have been either prevented or addressed more quickly,” says Shital Thekdi, an associate professor of analytics and operations at the University of Richmond.

“The new build scheme would have greatly reduced the chances of hackers having the ability to tamper with the build system without being observed,” adds Ken Arora, distinguished engineer in the Office of the CTO at F5, a provider of application security and industry tools. “Even if the attackers had some success, the compromise would have been short lived due to the dynamic operation strategy and self-destructive approach.”

Collaboration key to protect shared infrastructure

SolarWinds’ new build system is constructed around four secure-by-design principles:

• Operations are dynamic and use short-term software build environments that self-destruct after completing a specific task.

• Products are built systematically, ensuring build products can be made deterministically so any newly created byproducts will always have identical, secure components.

• Processes contain simultaneous builds so software development byproducts, such as data models, can be created in parallel to establish a basis for detecting unexpected modifications to the products.

• Detailed records are maintained so every software build step is tracked for complete traceability and permanent proof of record.

Since the software build process SolarWinds used at the time of the Sunburst attack is commonly used by the industry, the company is making some components of its new build system available to the public as open-source software. Says SolarWinds CEO and President Sudhakar Ramakrishna, “Communicating transparently and collaborating within the industry is the only way to effectively protect our shared cyber infrastructure from evolving threats.”