Secure by Design is a gold-plated cybersecurity standard introduced by SolarWinds in January 2021 following the SUNBURST cyberattack. Focused on people, infrastructure, and software development, it’s designed to enhance the strength of the company’s security framework and to set a new standard for secure software development. Informed by years of experience from industry-leading cybersecurity experts, Secure by Design was developed with the intention of making SolarWinds a trusted leader in enterprise software security.
SolarWinds has always made cybersecurity a priority. Under the leadership of President and CEO Sudhakar Ramakrishna, a recognized cybersecurity expert and former CEO of Pulse Secure, the company has made significant investments in further hardening its security systems and processes. This includes implementing new security principles and a comprehensive approach designed to ensure all products delivered, internal environments, and software development environments are Secure by Design.
Secure by Design is a multi-faceted approach built to go beyond just software protection. It foundationally prioritizes cybersecurity right from the start and throughout the entire life cycle management process as opposed to viewing it as an afterthought or add-on.
SolarWinds is committed to becoming a leader in software security. SolarWinds created Secure by Design to develop stronger products, processes, and environments for the benefit of its employees, customers, partners, and shareholders—and for the benefit of the infrastructures and supply chains on which we all rely.
Secure by Design includes proprietary technology, products, and processes to further strengthen SolarWinds and the industry at large. This includes the following:
SolarWinds is designing its Next-Generation Build System, a transformational model for software development. The Next-Generation Build System includes software development practices and technology designed to strengthen the integrity of the build environment through a unique “parallel build” process where software is developed in multiple secure, duplicate, and ephemeral environments.
Yes, SolarWinds will release components of the Next-Generation Build System as open source. The company is committed to enhancing overall industry collaboration and transparent communication to protect our shared cyberinfrastructure more effectively from evolving cyber threats.
Led by SolarWinds President and CEO Sudhakar Ramakrishna, CISO and VP of Security Tim Brown, and other senior executives, Secure by Design was created in partnership with leading cybersecurity experts, customers, and partners, including Alex Stamos and Chris Krebs.
Yes. SolarWinds has been able to measure the impact of Secure by Design using red teams, who play the role of a threat actor in simulated attacks, and penetration testing.
SolarWinds customers have embraced the company’s approach to security and commitment to information sharing and transparency. Thanks to Secure by Design, customers know they can trust SolarWinds solutions, and the company has seen a return to historically high customer retention rates.
SolarWinds is committed to sharing its Secure by Design approach with the entire industry, including by releasing components of the Next-Generation Build System as open source. The company has been commended in the industry for Secure by Design, which has provided a new model for how to help prevent and mitigate cyberattacks by following these guiding principles:
SUNBURST was a highly sophisticated cyberattack targeting multiple technology companies, including SolarWinds, and was discovered in December 2020. the U.S. government attributed the cyberattack to a foreign nation.
SolarWinds was targeted in the SUNBURST attack through a new type of sophisticated cyberattack where malware was used to monitor company systems and automatically inject malicious code into the company’s legitimate code before it was made available to customers.
No. Though it was widely misreported in the media, SolarWinds determined these credentials were for a third-party vendor application and not for access to the SolarWinds IT systems. This third-party application did not connect with the SolarWinds IT systems and had nothing to do with SUNBURST.
Fewer than 100 customers were targeted, rather than the “thousands” often reported.
Yes. The company has been transparent in sharing information about its investigation into SUNBURST. The final report was made available in May 2021 and can be found here.
SolarWinds took immediate action to contain the incident, protect its customers, and secure its environment. This included notifying customers and developing and releasing a patch within 48 hours.
Independent experts have noted it’s nearly impossible for any one company to stop sophisticated, motivated, and well-funded nation-state actors.
SolarWinds has never stopped working to ensure the integrity of its systems and further strengthen its environment. The company continues to expand on its Secure by Design approach with the ongoing development of its new software build model.