Software providers everywhere are under attack by cyber threat actors. Whether it’s a ransomware, the latest zero-day exploit, or a highly sophisticated, well-resourced, and persistent supply chain like SUNBURST, our entire industry faces an increasingly treacherous threat landscape, and nearly every news day brings with it another wave of announcements and urgent system updates to be made.
As SolarWinds knows better than most, these attacks can be highly sophisticated, well-resourced, and persistent. It’s why initiatives like Secure by Design are so important, and why IT practitioners, executives, and business leaders need to ask more of every software vendor they choose.
While some vendors may choose to swoop in when a competitor faces an attack, the truth is no one is safe from every threat. The software vendor who took business from others yesterday may very likely be tomorrow’s newest victim.
What’s most important to remember is any software vendor can be attacked, and every vendor should take additional steps to protect themselves and their users. SolarWinds encourages our customers and prospective customers to ask more of every vendor they consider—including us.
In response to the SUNBURST cyberattack, we rolled out our Secure by Design initiative, and set out on a journey to become an industry leader in secure software development—and to set new standards in information-sharing and public-private partnerships for the benefit of the broader user community.
As part of Secure by Design, we created a set of questions IT practitioners, executives, and business leaders should ask of any software vendor they evaluate—including SolarWinds. We believe these questions, together with the answers SolarWinds provides, offers our customers valuable perspective on how they can better prepare themselves to face an inevitable security issue. Because the next attack is always on the horizon.
Dimensions organisations should evaluate when they consider any software provider, include the following:
- What’s their approach to secure software development lifecycle?
- How do they secure software code and its associated infrastructure?
- Have they implemented an enterprise risk management (ERM) program, and what is it?
- When a threat or vulnerability is discovered, what are their processes to notify customers, and do they include possible mitigations?
- What level of detail do their internal processes provide to identify internal threats?
- What are their internal processes to validate changes, when they were made, who made them, and why?
- Do they have an internal hiring screening process sufficient to identify adversarial actors, potential U.S. domestic terrorists, and/or candidates with criminal backgrounds?
We provide answers to all these questions detailing what SolarWinds has implemented in terms of process, standards, and strengthened protections. We believe this is a comprehensive guide for our customers and prospects to measure our readiness to support them—and we encourage them to apply the same rigor to other providers they evaluate, as well.
Discussion about this post