Software Supply Chain Risk: Lessons from Solar Winds

Posted on January 15, 2021
Author: RunSafe Security

By now everybody is aware of the extent of the SolarWinds security attack, but it is worth saying that this massive compromise enables bad actors to gain entry to hundreds of thousands of companies and government agencies via the SolarWinds backdoor. Unfortunately, this software supply chain risk could happen to any software maker exposing not only their intellectual property, but their customers’ networks, applications, and data to bad actors. The lesson here is that bad actors always find a way to gain entry into organizations’ systems. 

For example, already in 2021, we have learned about JetBrains software development tools being compromised and even perhaps being a part of the SolarWinds cyber kill chain. Whereas SolarWinds is a demonstration of compromising IT management software, 樂威壯
: 400;”>JetBrains is an example of vulnerabilities in software development tools, perhaps leading to malicious code being inserted into legitimate builds prior to code-signing. 

In thinking through our security postures, we should not simply ask: “How do I stop the SolarWinds or JetBrains compromises?” Instead, we all need to think strategically about our entire software supply chain and implement methods to disrupt not only these attacks, but future ones. 

For example, even the U.S. Air Force software development teams, led by Will Roper and Nicolas Chaillan, are not only replacing these compromised tools, but they are looking for ways to harden all of the tools in their software factories, whether it is from the build toolchain or the deploy toolchain. Other organizations are replacing products from their software supply chain with competitive tools that already have more robust security protections. 

At RunSafe Security, our mission is to disrupt hacker economics by immunizing your technology without slowing down developers so that you have security protections built into your software. For this reason, enterprises and government agencies are looking to us to supply their open source packages, their DevOps tools, and the software they produce for others. 

So, whether you use SolarWinds, JetBrains, or any other tool, we all need to take software supply chain vulnerabilities seriously. RunSafe was built on the assumption that the supply chain will be compromised and bad actors will get in – and our mission is to disrupt these attackers by immunizing your software even when they do gain access to your systems.

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more