SolarWinds unveils new development model to avoid a repeat of Sunburst

SolarWinds has unveiled a new software development model, dubbed Next-Generation Build System, that it hopes will help to avoid a repeat of the devastating December 2020 Sunburst cyber attack, and serve as a blueprint for secure software development in the rest of the industry.

The model was developed under the company’s internal secure-by-design initiative, which was established by CEO Sudhakar Ramakrishna in 2021 following the Sunburst attack, which saw Russia-backed threat actors gain a foothold in SolarWinds customers’ networks – including US government agencies – after delivering a malicious update to the firm’s Orion platform.

“Communicating transparently and collaborating within the industry is the only way to effectively protect our shared cyber infrastructure from evolving threats,” said Ramakrishna.

“Our secure-by-design initiative is intended to set a new standard in software supply chain security via innovations in build systems and build processes. We believe our customers, peers, and the broader industry can also benefit from our practices.”

Next-Generation Build System has been developed on an accelerated timeline over the past year, to include new standards for development best practice and technology to strengthen the integrity of the overall build environment.

As trailed by Ramakrishna in a September 2021 interview with Computer Weekly, this involves the use of a so-called “parallel build” process, where software development takes place along multiple, secure, duplicate paths, establishing a basis for integrity checks.

Next-Generation Build System aligns with four key secure-by-design principles:

• Dynamic operations – which means only short-term software built environments, which self-destruct after completing their specific task, are used.
• Systematic build products – which means ensuring that build products can be made deterministically, so that any newly created by-products always have identical and secure components.
• Simultaneous build process – which means creating software development by-products, such as data models, in parallel to establish a basis for detecting any unexpected modifications to them.
• Detailed records – which means tracking every step of the software build process for traceability and permanent proof-of-record.

Because SolarWinds’ previous software build process is commonly used throughout the technology industry, the organisation has also elected to release components of Next-Generation Build System as open source software, to enable others to benefit from what it has learned, and help go some way to raising industry standards for secure development processes.

This openness aligns with the CEO’s goals to both share SolarWinds’ learnings from its experience, and collaborate with others. Ramakrishna, who had only just signed his contract and was not yet technically working for SolarWinds when the attack took place, has won praise for his response to the incident and his subsequent candour, and is often found calling for others to follow SolarWinds’ example.

Earlier this month, at the RSA Conference in San Francisco, Ramakrishna called for software companies to dedicate employees to work alongside the US government’s Cybersecurity and Infrastructure Security Agency to improve cooperation and incident response times.

“The only way our industry will be able to effectively respond to the evolving threat landscape is through a true partnership between the public and private sectors,” he said.