SolarWinds, for one, has developed the “Next-Generation Build System,” a parallel-build process that protects the software development process by developing software in multiple secure, duplicate, and ephemeral environments. To help the industry secure its software development, SolarWinds is releasing components of the build system as open-source, enabling other companies to benefit from SolarWinds’ innovations.
Here are four guiding principles that companies must consider adopting to further strengthen their build systems and improve security in the face of increased risks.
### Build Systems That Self-Destruct and Are Built With Code
To safeguard the software development process, organizations need to implement build systems that leave no long-lived environments. It’s critical to develop products in short-term software build environments that self-destruct after each task is complete. Building in short-term software build environments minimizes vulnerabilities and out-of-date components, creating an opportunity for attackers to congregate and target organizations. Additionally, builds in a self-destructing environment that are based on code enable versioning controls and safeguards for build components. Building in short-term, self-destructive environments is a tightly controlled process that requires organized leadership, as organizations must isolate, administratively separate, and closely supervise these build systems.
### Reproducibility Is Key
Reproducibility is a crucial factor in ensuring build security. If a development team can reproduce software development in one place and rebuild it on another system or at a different time with the same outcome, then the software behaves consistently, identifying anomalies, preventing unauthorized adjustments, and weeding out disparities in the code. With reproducibility, software developers can reproduce errors to better understand and remediate them and identify any unauthorized adjustments in the build pipeline. Reproducible builds allow organizations to compare the final output of source code to ensure it’s the same regardless of where or when the build was created.
### Build in Parallel
Another way to strengthen the integrity of the software development process is through parallel builds. It would help if you utilized three logical build pipelines – the developer pipeline, the staging/validation pipeline, and production pipeline – ensuring that all builds meet the characteristics described above. The developer pipeline performs normal engineering builds, while the staging/validation pipeline is where quality, security, and performance tests take place. The production pipeline has extremely limited access, with only a couple of pre-defined people assigned access. Before shipping from the production pipeline, a comparison is completed to the staging pipeline, and the build model assumes a breach, meaning one compromised person can’t independently compromise a production build. These parallel environments have a single entry point and are independent environments that decrease vulnerability by focusing the potential threat on a single environment.
### Retrace Your Steps
Traceability is the final principle critical for ensuring that the software development process is secure. It’s crucial to verify each build step through a tracking process, which can be verified before the software is released. Engineers and management must sign off on each project before running it through the pipeline. Every procedure should be monitored carefully, ensuring that every code is matched and correctly implemented and has a clear, traceable history. Human validation prior to production release helps to ensure that all appropriate steps are taken to ensure quality and security.
The cybersecurity landscape is constantly evolving with new threats and motivated, well-funded bad actors emerging every day. To thwart and mitigate these threats, improving the security of the software development process is critical. The industry must adopt these principles while being open about security and sharing information and best practices to improve industry-wide security.
<< photo by Jonathan Petersson >>
You might want to read !
- “Adapt or Fall Behind: The Fast-Paced World of Constant API Updating” – Enterprise Strategy Group Research Findings
- Why Urgent iPhone Updates are Crucial to Fix Two Zero-Day Vulnerabilities
- “Revolutionizing Security in the Auto Industry: Autocrypt Introduces Advanced Key Management System”
- Rising security concerns as hackers leverage an old-school weapon: the ‘Shift’ key to exploit npm packages
- “White House Unveils New AI Initiatives: DEF CON Event to Vet AI Software”
- “US Critical Infrastructure Remains Vulnerable to Ransomware Attacks Two Years After Colonial Pipeline”
- OpenSSF’s Open Source Software Security Initiative Secures $5 Million Funding.
- “The looming threat: AI as a potential weapon of mass destruction”
- US Wellness Notifies Customers of Data Security Breach
