Tim Brown, CISO, SolarWindsReversingLabs always plays that important final check to say, ‘Is anything else in here that is suspect?’
Building an exemplary, leading program devoted to securing a complex, modern software supply chain was the critical objective for SolarWinds after the Sunburst incident. While SolarWinds continued to leverage legacy application security testing tools, they embarked on a mission to identify new tools that could provide novel and deeper insights that identify risks and threats.
That's when SolarWinds added Spectra Assure™ to its development and deployment pipeline. Spectra Assure provides “a final check,” CISO Tim Brown said. “ReversingLabs always plays that important final check to say, ‘Is anything else in here that is suspect?’ that could include unexplained changes to the build process, or unexpected additions to the software. By comparing new builds with previous, known good builds, SolarWinds can “make sure nothing nefarious got into a release,” Brown said.
Malware, tampering, suspicious behavior changes, and more can be identified within proprietary, commercial, and open-source components, plus artifacts added during compilation. In addition, Spectra Assure determines if software components or artifacts behave as expected – flagging anomalies, unusual patterns, or changes in behaviors, which is critical for seeing and stopping novel supply chain attacks before release.
Automated prioritization helps product and security teams organize remediation projects for development teams, which is critical for balancing security improvements with delivery timelines.
SBOMs That Drive Transparency and Business
SolarWinds sees an increasing number of requests for software bills of materials (SBOMs) before purchase. This marks a critical milestone for enterprise procurement where vendor transparency is implemented as a best practice. These prospective customers need software inventory information to manage third-party risk effectively.
“ReversingLabs is what we use to generate that SBOM,” Brown said. “Our customers are requesting them. Our customers need them. The ability to produce SBOMs helps us close our deals.”
Spectra Assure generates a comprehensive SBOM by analyzing the entire software release that customers will receive, including proprietary, commercial, and open-source components. Assessing software in its final executable state creates a more comprehensive software inventory than tools focused solely on open-source components or that rely solely on build manifests that specify the expected software contents rather than the actual contents. SBOMs are exported in the CycloneDX or Software Package Data Exchange (SPDX) formats, both industry standards, to respond to customer requests.
“ReversingLabs is what we use to generate that SBOM. Our customers are requesting them. Our customers need them. The ability to produce SBOMs helps us close our deals,” said Tim Brown, CISO, SolarWinds.
Manage Risk in Software Components
As a software developer, SolarWinds must manage risks posed by third-party, commercial, and open-source components used in its products. This requires new levels of transparency with third parties creating software components SolarWinds includes in its products. The Spectra Assure SAFE Report simplifies this effort by raising awareness of the most imminent security issues and expediting remediation. The reports can be used to meet both internal and external compliance requirements and to demonstrate due diligence in assessing risks associated with third-party software components.
Spectra Assure is embedded in SolarWinds’ CI/CD to serve as the “final check” before software release. An AWS‑hosted architecture uses S3 for build artifact storage, Lambda or Step Functions for orchestration, and ECS/EKS for scalable scanning nodes. SAFE report and SBOM data are stored in Amazon RDS (for relational needs) or DynamoDB. Integration with enterprise build tools (Jenkins, GitHub Actions) enables binaries to be automatically uploaded to S3.
Next Step: Third-Party Commercial Software Risk
Like the rest of the industry, SolarWinds is working to improve its third-party risk management and processes for the commercial software it uses. “It’s very common practice for people to look for SOC 2s, ISOs, questionnaires, spreadsheets, and that's a lot of the way evaluation is done today. But that evaluation doesn't really give you enough to be able to truly assess the risk of the product that you're buying,” Tim Brown, CISO.
SolarWinds would like to identify any risks or threats in the commercial software it uses before acquisition or deployment. ReversingLabs makes this risk assessment possible because Spectra Assure’s complex binary analysis engine provides transparency without requiring access to source code.
Brown shared, “The ideal case is that you're running ReversingLabs on everything before purchase. I not only get the SBOM, but I also get insights into malicious code or tampering.”
