Becoming Secure By Design: Questions You Should Ask Your Software Vendors
•Als PPTX, PDF herunterladen•
0 gefällt mir•297 views
The next cyberattack is always around the corner, but you can use every minor incident to help you prepare for major ones. Designing your environment with security in mind at every step will help you better prepare, and you must make sure all those who contribute to your environment are equally secure, including your software partners.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Ähnlich wie Becoming Secure By Design: Questions You Should Ask Your Software Vendors (20)
Mehr von SolarWinds
Mehr von SolarWinds (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
- 1. 1 @solarwinds Becoming Secure by Design: Questions You Should Ask Your Software Vendors Tim Brown SolarWinds CISO and VP, Security
- 2. @solarwinds Introduction © 2022 SolarWinds Worldwide, LLC. All rights reserved. Tim Brown SolarWinds CISO and VP, Security
- 3. @solarwinds @solarwinds Today’s IT Climate © 2022 SolarWinds Worldwide, LLC. All rights reserved. While the transition to more distributed environments and architectures has been underway for years, 2020 accelerated this shift—and its challenges. The global pandemic called on IT teams everywhere to keep organizations running, as their team members shifted to remote work nearly overnight. Just as organizations work to secure attack surfaces expanded to support remote teams, the global threat landscape has become even more dangerous.
- 4. @solarwinds 7 Questions You Should Ask Software Vendors 1. What is your approach to the secure development lifecycle? 2. How do you secure software code and its associated infrastructure? 3. What are your internal processes to validate product changes? 4. Have you implemented enterprise risk management (ERM)? 5. What are your notification procedures if a security vulnerability is discovered? 6. What internal processes are used to identify insider threats to software products? 7. What are your internal processes for screening potential employees for insider threats? Including several sub-questions © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 5. @solarwinds Question 1: What is your approach to a secure software development lifecycle? • Include • Network architecture, dataflow, and interconnection • Development pipeline(s) and procedures • Management of: • Assets, configurations, changes, vulnerabilities, and patching • Mobility, identity, and access • Network security, data protection, and endpoints • Event and incident detection, response, and recovery capabilities and procedures © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 6. @solarwinds Network Architecture, Dataflow, and Interconnection Environment segmented into Development, Production, and Lab networks. Users have unique and separate accounts within each of those environments as required, and connectivity between environments is limited. © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 7. @solarwinds Secure Software Development Lifecycle SolarWinds follows a standard Secure Development Lifecycle approach, including: • Requirements analysis • Secure development • Security testing • Release • Response © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 8. @solarwinds Secure Software Build Environment Phase I: January 25, 2021 • Dual-build verification Phase II: Current • Build environment in AWS • Security enhancements © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 9. @solarwinds Secure Software Build Environment Phase III: Upcoming • Triple-build environment • SLSA Level 4 compliant © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 10. @solarwinds Question 1 – Subsections Provide details on each area: • Asset configuration and change management • Vulnerability and patch management • Mobility management • Identity and access management • Network security management • Data protection management • Endpoint protection • Event/incident detection, response, recovery © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 11. @solarwinds Question 2: How do you secure software code and its associated infrastructure? SolarWinds has adopted a zero-trust strategy along with the following: • Restricted which users have access to build and source environments • Required multi-tiered MFA with YubiKeys • Deployed CrowdStrike Falcon across workstations and servers • Utilized a two-way build process matching source code to product code • Designed and architected a next-generation build pipeline and environment • Consolidated remote and cloud access • Regular internal and external audits of environment • Re-signed affected products with new digital code-signing certificates • Expanded our vulnerability management program with increased frequency • Improved collaboration with security community • Significantly increased investment in ongoing PEN testing • Expanded security analysis of source code • Increased engagement and funding of ethical hacking from white hat communities © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 12. @solarwinds Question 2: How do you secure software code and its associated infrastructure? Continued © 2022 SolarWinds Worldwide, LLC. All rights reserved. What additional actions are planned? • Security checks at installation (Secure Configuration for the Orion Platform in code) • Least privileged model for the product • External threat modeling and architectural PEN testing • Internal audit function focused on software development and build environment
- 13. @solarwinds 7 Questions You Should Ask Software Vendors 3. What are your internal processes to validate product changes? 4. Have you implemented enterprise risk management (ERM)? 5. What are your notification procedures if a security vulnerability is discovered? 6. What internal processes are used to identify insider threats to software products? 7. What are your internal processes for screening potential employees for insider threats? © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 14. 14 @solarwinds @solarwinds 14 Key Resources Becoming Secure by Design With SolarWinds solarwinds.com/secure-by-design-resources/becoming- secure-by-design-with-solarwinds IT Trends Report 2021: Building a Secure Future it-trends.solarwinds.com Secure by Design Resource Center solarwinds.com/secure-by-design-resources Orion Assistance Program support.solarwinds.com/orion-assistance-program SolarWinds Trust Center solarwinds.com/trust-center © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 15. @solarwinds THANK YOU © 2022 SolarWinds Worldwide, LLC. All rights reserved.
- 16. @solarwinds The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.
Hinweis der Redaktion
- SolarWinds follows a standard Secure Development Lifecycle approach, including requirements analysis, secure development, security testing, release, and response. As part of the process, Checkmarx is utilized for static code analysis, WhiteSource is utilized for open-source discovery/analysis, and internal penetration (PEN) testing utilizing Burp Suite and Rapid7 InsightAppSec prior to a final security review.
- Below is a representation of the current SolarWinds build process (Phase II), which is designed to ensure the security and integrity of the code and that no insertions or alterations have occurred during the build process. With Phase I, released in SolarWinds Orion Platform version 2020.2.4 on January 25, 2021, we introduced a dual build verification into our process. This enabled us to take compiled binaries back to the source code files with the associated hashes and compare those hashes with the files in source control, thus ensuring no alteration or insertion occurred within the build pipeline. Phase II of this process incorporates our build in the AWS environment and adds several security enhancements. We will complete this journey with Phase III, represented in the below diagram. This encompasses the triple build environment, which is also SLSA Level 4 compliant
- Below is a representation of the current SolarWinds build process (Phase II), which is designed to ensure the security and integrity of the code and that no insertions or alterations have occurred during the build process. With Phase I, released in SolarWinds Orion Platform version 2020.2.4 on January 25, 2021, we introduced a dual build verification into our process. This enabled us to take compiled binaries back to the source code files with the associated hashes and compare those hashes with the files in source control, thus ensuring no alteration or insertion occurred within the build pipeline. Phase II of this process incorporates our build in the AWS environment and adds several security enhancements. We will complete this journey with Phase III, represented in the below diagram. This encompasses the triple build environment, which is also SLSA Level 4 compliant