Secure your business by securing your build operations
The SolarWinds attack has dominated information security news since December, when both private firms and government agencies confirmed that they had been compromised due to a Trojaned software update for their Orion product. Most of the coverage I have read about this attack has focused on either the fact that it was a supply chain attack or on the question of attribution. However, there is more to it than that. The SolarWinds hack revealed the critical importance of securing your software build operations.
You can control your own operations
Consider a factory. If you were managing a factory and were trying to keep the factory secure while producing quality products for customers, what would make the most impact? Would it be delving deep into the companies supplying the raw materials and making sure they had their houses in order when it came to security? Or, would it be making sure your own factory was following good processes?
Focusing on the supply chain angle is like focusing on the companies that provide raw materials. Yes, vetting them makes sense. But the more actionable issues and the quicker meaningful wins come from getting your own house in order. I see it like making sure to shut the door to your factory before someone sneaks in to put a wrench in the machinery. It’s not about the end product or supply chain, but how it is made.
This analogy illustrates a crucial and actionable lesson from the SolarWinds hack. Insecure build operations at SolarWinds led to the compromise of the Orion software, and that should be enough to inspire anyone who develops software to assess how they create software. After all, you have more control over what your development team does than you do over anything that a supplier does, and looking at your practices with open, critical eyes can help you make them better. It can produce meaningful security improvements without hiring more staff or buying more security infrastructure and help build a more positive and thoughtful security culture.
What reviewing software build operations entails
When thinking about how your business is approaching software build operations, documents and policies may be the first thing to come to mind. But I encourage you to think more deeply and practically. Written documentation for how your company should be building its software may contain suggestions or best practices, but what secures (or fails to secure) your business does not depend on what is written down. It depends on what your development team is doing day in and day out.
After all, I have never seen a document stop an attacker. If an attacker wants to compromise your business, they care about what is actually vulnerable: what software, devices, and configurations sit between them and the information they want. Consider a developer who automates some of their tasks with a script that has a password hard-coded. If an attacker finds that script either in the network or in a public code repository, will the attacker discount it because a piece of internal documentation or a best practice suggests that scripts should not have hard-coded passwords? Of course not.
To strengthen the security of your business requires learning about what is happening on a daily basis. Learning about developer workflow in the context of ultimate business goals matters: what they are doing, why they are doing what they do, and how they are using the available tools and infrastructure to build the product. Only by asking those questions and understanding both the business needs and the procedures can you then gain an understanding of where the weaknesses are and how to improve to create more effective defence-in-depth.
Choosing the right partner
When reviewing your software build operations, I recommend collaborating with someone outside your company. It makes sense, since they’ll have a set of fresh eyes. They won’t be accustomed to following your own business’s procedures day in and day out, which can help put them in a position to ask critical questions about what your developers are doing and why. However, when deciding who to trust with something as important as reviewing and improving the software build operations at the heart of your business, I encourage you to evaluate whether they are the right partner before bringing them in.
The right partner for your business needs to have a collaborative approach. After all, any improvement in build procedures has to be designed in light of your business goals. Even if someone knows about security best practices, that knowledge will not translate to better security unless they also learn your development team’s goals. The only effective operational improvements are ones that make things more secure while enabling developers to satisfy goals.
I also recommend working with a partner who knows developers and knows the impact developers have on security. Security is a broad field, and security companies have different expertise and different approaches to their advisory engagements. If your company develops software, look for a company with a long history of experience working closely with software developers to strengthen their security programs.
Why now?
I encourage you to think now about how to strengthen your build procedures. Not only is there no time like the present to improve your security, but also with SolarWinds in the news, I have seen more executives than before asking if they could be the next SolarWinds. In that sense, it is a good time to get buy-in for process analysis and improvement.
But it is more than that. As the landscape changes over time, new threats will emerge that target weaknesses in software build operations. If your business adds review and improvement of build procedures as part of its security arsenal now, you will be better equipped to review, optimize, and secure how you build software in the future.
If you’re wondering, “Is this us? How do we make software? What does our factory look like?” the Security Compass Advisory team is highly-skilled and able to provide you with the answers. We have focused on developers, worked with developers, and existed at the intersection of software development and security from the advent of our company over fifteen years ago. Our team can help you fully understand what your build operations look like and provide real, tangible, practical guidance on how you can address any security issues with your build operations.
If you’re interested in talking to us about how you can improve your software development processes, we’re here to listen. Get in touch and let’s discuss how we can work together to secure your business.