The size and scope of SolarWinds as an IT software provider and the nature of the breach announced on December 13 rocked the IT and security world — rightfully so. We’ve provided immediate, actionable advice for security and risk pros and IT leaders in our report here. While security leaders guide their companies to respond, there’s some generalized advice for the vendor world about this.
Attackers Continue To Exploit Product Security Weaknesses
Throughout 2020, product security failures have happened month after month, but most focused on consumer-facing products and services. Enterprise B2B vendors didn’t get quite as much attention, but the scale balanced out with the SolarWinds breach.
Companies competing with SolarWinds on providing important infrastructure, monitoring, and security products and security vendors should focus on the following:
- Poor product security efforts risk market share for B2B firms. Forrester’s work on product security began with “Secure What You Sell: CISOs Must Tackle Product Security To Protect Customers.” This report provides extensive guidance on how to establish or improve your product security initiatives. Expect this to become a major focus of procurement and legal teams as a result of this breach.
- Vendors should NOT use the SolarWinds breach as a marketing opportunity. Attempting to exploit the misfortune of others never makes a company look good, and in the cybersecurity industry, everyone knows that today it might be them, but tomorrow it could be you. Ambulance chasing, dunking on, or victim shaming is not just in poor taste. It’s deplorable and won’t win clients over. FireEye exhibited tremendous transparency as a result of its breach and was able to also provide one of the first detailed technical write-ups on the SolarWinds incident.
- Even a security-mature software supplier could have missed this. To identify security flaws in their supply chain, top software organizations regularly run software composition analysis to identify vulnerabilities in open source components, and they use code-signing certificates to assure the integrity of supplied code. Neither approach would have discovered this attack — the malicious code was not in an open source library, and the compromised DLL (dynamic-link library) was signed by a valid (albeit compromised) certificate. Don’t equate susceptibility with a lack of security maturity.
- SolarWinds’ degree of transparency with its customer list might need to change. SolarWinds was large and prominent enough that it was an attractive target for attackers without mentioning customer names. But the customer page on its website went as far as listing all five branches of the US military, all 10 large US telecoms, and the top five accounting firms as clients. That doesn’t mean any of those organizations are caught in the breach, but it does mean attackers have some idea of the value of SolarWinds as a target if they are successful. Third-party risk management, legal, and procurement will likely force CISOs to reevaluate if they want to be listed in the future.