Transparency and Trust: SolarWinds CISO on Securing the Software Supply Chain

Over the past few years, SolarWinds’ CISO Tim Brown has been focused on building an exemplary, leading program devoted to securing a complex, modern software supply chain. One of the key tools in SolarWinds’ cybersecurity arsenal is ReversingLabs Spectra Assure™. In this video, Brown outlines how SolarWinds is using Spectra Assure as they build their program to deliver excellence in its software supply chain security: ensuring that the software it distributes to its customers is high quality; secure; and free of tampering, malware, or other malicious content. 

“Software supply chain is one of the biggest challenges that we face as an industry. The reason being is that we need to know what components go into our software. We need to know how those components are put together. We really need to be able to know how much we trust that piece of software. And that's where Spectra Assure comes in.”

From Cautionary to Cutting Edge

“After the incident, we really wanted to be exemplary,” Brown recalls in an exclusive interview with ReversingLabs. “We've done things such as attest to the (NIST) Secure Software Development Framework. We've attested to the (CISA and NSA-led) Enduring Security Framework,” he said.

Like many other software producers, SolarWinds continues to leverage legacy application security testing tools such as static (SAST) and other inspection tools for security testing. But SolarWinds embarked on a mission to identify new tools that could provide novel and deeper insights that identify risks and threats.

Applying the Final Build Exam

Going beyond those existing AppSec tools, SolarWinds added Spectra Assure to its development and deployment pipeline as “a final check,” Brown said. “ReversingLabs always plays that important final check to say, ‘Is anything else in here that is suspect?’ that could include unexplained changes to the build process, or unexpected additions to the software. By comparing new builds with previous, known good builds, SolarWinds can “make sure nothing nefarious got into a release,” Brown said.

Spectra Assure helps to identify malware, suspicious behavior, and tampering in compiled binaries. Those checks are critical to ensure the integrity of the software it ships to its customers. But the future for software producers is about more than just improving detection of software supply chain attacks, Brown believes. It is just as much about showing to your customers that they can trust the software you’ve delivered to them.

Delivering SBOMS

SolarWinds also uses Spectra Assure for generating their software bill of materials (SBOMs) for its products. CISA has been advocating SBOMs over the last few years. “Customers have been starting to ask for SBOMs from vendors,” said Brown, “In our case, federal customers and a few commercial customers have asked for SBOMs for our products before purchase. ReversingLabs is what we use to generate that SBOM.”

Addressing Third-Party Software Risk

Identifying the risk in the software that enterprises purchase and deploy across their organization is another area of focus. “We, like the rest of the industry, are really looking to improve our third-party risk management software and our third-party risk management process,” Brown said. “ReversingLabs can play an important role in that.”

The challenge is that common practices of SOC 2s, ISO, and questionnaires are not enough. “That evaluation doesn't really give you enough to be able to truly assess the risk of the product that you're buying,” Brown said, “So when we look at procurement of software, the ideal case is that you're running ReversingLabs on everything prior to purchase.”

The Evolving Threat Landscape

Our conversation with SolarWinds is a glimpse of the future, in which software development organizations are held to higher standards for both product security and transparency, in addition to adopting new tools and processes to meet those demands. ReversingLabs is honored to play an important role in helping SolarWinds to embrace that future and ensure the continued security and integrity of its products.