SolarWinds announced its Next-Generation
Build System aligns with the National Institute of Standards and
Technology (NIST) Secure Software Development Framework (SSDF) and Software Supply Chain Security Guidance.
SolarWinds launched its Secure by Design initiative in 2021 in response
to SUNBURST. This initiative is a multi-pronged strategic approach
featuring proprietary technology, products, and processes designed to
further strengthen the company and industry at large. A key component of
this initiative is the company's Next-Generation Build System, which
leverages a unique parallel build process where software is developed in
multiple secure, duplicate, and ephemeral environments.
"The SSDF guidelines will be an important step in strengthening our
nation's overall cybersecurity posture," said SolarWinds Chief
Information Security Officer and VP, Security, Tim Brown. "At
SolarWinds, we've implemented our Secure by Design initiative with the
goal of becoming a leader in enterprise software security. This has
included aligning our software development processes with NIST's Secure
Software Development Framework and CISA's Enduring Security Framework as
outlined by the National Cybersecurity Strategy."
The SolarWinds Next-Generation Build System consistently meets or
exceeds the proposed standards of the NIST Secure Software Development
Framework by:
-
Conducting software builds in parallel by utilizing three isolated and
distinct build environments, where each build step is signed and
verified before going through a secure validation environment built to
perform a variety of scans and security checks to validate the product
before release
-
Advancing beyond zero trust by adopting and implementing an assume
breach position to eliminate implicit trust in applications and services
-
Utilizing ephemeral operations in the software development process to
eliminate dependencies and remove the opportunity for malicious threat
actors to establish a "home base" in systems
-
Deploying automated tools designed to run on a recurring basis to scan
for vulnerabilities throughout the development process, including
through open-source software vulnerability checks, static code analysis,
and dynamic application security testing
-
Generating a software bill of materials (SBOMs), which provides a
comprehensive picture of all the components, libraries, tools, and
processes used in the build process
-
Following responsible disclosure protocols for verified and validated vulnerabilities