What is Secure by Design?
Secure by Design is a gold-plated cybersecurity standard introduced by SolarWinds in January 2021 following the SUNBURST cyberattack. Focused on people,
infrastructure, and software development, it’s designed to enhance the strength of the company’s security framework and to set a new standard for secure
software development. Informed by years of experience from industry-leading cybersecurity experts, Secure by Design was developed with the intention of
making SolarWinds a trusted leader in enterprise software security.
How does Secure by Design differ from existing SolarWinds approaches?
SolarWinds has always made cybersecurity a priority. Under the leadership of President and CEO Sudhakar Ramakrishna, a recognized cybersecurity expert and former CEO of Pulse Secure, the company has made significant investments in further hardening its security systems and processes. This includes implementing new security principles and a comprehensive approach designed to ensure all products delivered, internal environments, and software development environments are Secure by Design.
How does Secure by Design differ from how other companies approach cybersecurity?
Secure by Design is a multi-faceted approach built to go beyond just software protection. It foundationally prioritizes cybersecurity right from the start and throughout the entire life cycle management process as opposed to viewing it as an afterthought or add-on.
Why did SolarWinds develop Secure by Design?
SolarWinds is committed to becoming a leader in software security. SolarWinds created Secure by Design to develop stronger products, processes, and environments for the benefit of its employees, customers, partners, and shareholders—and for the benefit of the infrastructures and supply chains on which we all rely.
What are the key components of Secure by Design?
Secure by Design includes proprietary technology, products, and processes to further strengthen SolarWinds and the industry at large. This includes the following:
- Hardening the software build environment and internal systems
- Upgrading endpoint protection and data loss prevention (DLP) solutions
- Expanding zero trust to an assume breach position, a mindset designed to identify and address gaps in the following:
- The detection and prevention of attacks
- The response to an attack and penetration
- The recovery from an attack, tamper, or leak
- The prevention of future attacks or breaches
- Adopting least-privilege access methodologies
- Designating special red teams to regularly test the system.
How is SolarWinds changing its software build model?
SolarWinds is designing its Next-Generation Build System, a transformational model for software development. The Next-Generation Build System includes software development practices and technology designed to strengthen the integrity of the build environment through a unique “parallel build” process where software is developed in multiple secure, duplicate, and ephemeral environments.
Will other companies be able to leverage the Next-Generation Build System?
Yes, SolarWinds will release components of the Next-Generation Build System as open source. The company is committed to enhancing overall industry collaboration and transparent communication to protect our shared cyberinfrastructure more effectively from evolving cyber threats.
Who created Secure by Design?
Led by SolarWinds President and CEO Sudhakar Ramakrishna, CISO and VP of Security Tim Brown, and other senior executives, Secure by Design was created in partnership with leading cybersecurity experts, customers, and partners, including Alex Stamos and Chris Krebs.
Has Secure by Design been effective?
Yes. SolarWinds has been able to measure the impact of Secure by Design using red teams, who play the role of a threat actor in simulated attacks, and penetration testing.
How has Secure by Design impacted SolarWinds customers?
SolarWinds customers have embraced the company’s approach to security and commitment to information sharing and transparency. Thanks to Secure by Design, customers know they can trust SolarWinds solutions, and the company has seen a return to historically high customer retention rates.
How will Secure by Design benefit the software industry at large?
SolarWinds is committed to sharing its Secure by Design approach with the entire industry, including by releasing components of the Next-Generation Build System as open source. The company has been commended in the industry for Secure by Design, which has provided a new model for how to help prevent and mitigate cyberattacks by following these guiding principles:
- Develop a resilient build environment called our Next-Generation Build System,
- Build out a community approach to support cyber resiliency,
- Improve overall security through transparency,
- Build out a security team to conduct frequent red and purple teaming and auditing in the middle of builds,
- Increase efforts to gain more visibility into systems and processes, and
- Go beyond zero trust with an “assume breach” mindset.
What was SUNBURST?
SUNBURST was a highly sophisticated cyberattack targeting multiple technology companies, including SolarWinds, and was discovered in December 2020. the U.S. government attributed the cyberattack to a foreign nation.
How was SolarWinds impacted by SUNBURST?
SolarWinds was targeted in the SUNBURST attack through a new type of sophisticated cyberattack where malware was used to monitor company systems and automatically inject malicious code into the company’s legitimate code before it was made available to customers.
Wasn’t SUNBURST the result of a poorly secured password (“solarwinds123”)?
No. Though it was widely misreported in the media, SolarWinds determined these credentials were for a third-party vendor application and not for access to the SolarWinds IT systems. This third-party application did not connect with the SolarWinds IT systems and had nothing to do with SUNBURST.
How many SolarWinds customers were impacted because of SUNBURST?
Fewer than 100 customers were targeted, rather than the “thousands” often reported.
Did the company investigate SUNBURST?
Yes. The company has been transparent in sharing information about its investigation into SUNBURST. The final report was made available in May 2021 and can be found here.
How did SolarWinds respond to SUNBURST?
SolarWinds took immediate action to contain the incident, protect its customers, and secure its environment. This included notifying customers and developing and releasing a patch within 48 hours.
Could SUNBURST have been prevented?
Independent experts have noted it’s nearly impossible for any one company to stop sophisticated, motivated, and well-funded nation-state actors.
What has the company done since the incident?
SolarWinds has never stopped working to ensure the integrity of its systems and further strengthen its environment. The company continues to expand on its Secure by Design approach with the ongoing development of its new software build model.