Solarwinds Source Code Breach - How to Protect Your Source Code Management Platform - Adaptive Shield

Solarwinds Source Code Breach - How to Protect Your Source Code Management Platform

Adaptive Shield Team

If you’re a security professional, by now, you’ve already heard about the epic Solorigate or Sunburst breach.

The massive hack was exposed in mid-December 2020 (ah 2020; the “gift” that just keeps on giving…) and compromised numerous high-profile companies and government organizations. Security giant FireEye first discovered the widespread breach which resulted in obtaining code developed by the company’s Red Team to simulate cyber attacks, as well as breaching and exfiltrating data from many other organizations.

While this sophisticated, multi-stage breach is still under investigation, federal institutions along with the international cybersecurity community already have a pretty good idea about how this breach occurred; in a nutshell, the adversary (allegedly a nation-state actor) managed to first submit malicious source code into Solarwinds Orion product suite, one of the most prevalent IT monitoring solutions. The malicious code created a backdoor inside that product and once installed in a customer network, the compromised server contacted its command and control center in order to receive instructions. These instructions were capable of privilege escalation, downloading and executing payloads, moving laterally throughout the network, and compromising other assets.

Securing Your Source Code is Essential

The topics of how exactly Sunburst/Solorigate spread across networks and how organizations can detect it have already been covered in many great articles (here’s Microsoft analysis and recommendations). In this article, we are going to touch upon the root-cause for Solorigate to provide infosec and corporate security teams some practical recommendations on how they can better secure their source code management platforms.

Traditionally, source code management platforms are owned and managed day-to-day by development teams and the reality is that security aspects and controls are, at times, deprioritized. This breach serves as a painful eye-opener — corporate security teams must take a stand and emphasize the critical nature of security with their respective counterparts–and then, make sure they do everything possible to harden and secure their source code and version control platforms.

Practical Tips to Secure Source Code Platforms

Version control platforms have greatly matured in recent years and now natively offer many controls which can be easily implemented and don’t require any additional tools. For the purpose of this article, we’ve used controls available in GitHub and its respective terminology, since this is one of the most prevalent source code platforms. Nevertheless, most of these controls are also available in some shape or form in other products.

Platform-specific security controls

  1. What access level/s does it have? (for example, is it limited to low sensitivity data / read-only, etc.) – you can collect these based on the OAuth scopes that each app has.
  2. Which automation can such apps initiate?
  3. Who is the user who approved them and for what reason? Are they still needed?
  4. If a third party is compromised it puts you at risk as well, so verify the authenticity of the App author.
  1. repo.create
  2. repo.add_member
  3. integration_installation.create
  4. repository_vulnerability_alerts.enable
  5. repository_dependency_graph.enable

Secure Code

General Controls:

In conclusion

Aside from the immediate impact Solorigate has had on many organizations, as well as the tremendous efforts that are being made to identify and recover from this breach, we truly believe that this a learning opportunity; as Winston Churchill said, “Never let a good crisis go to waste.”

While most organizations face far less sophisticated attacks than nation-state backed ones, attacks are always growing more complex and advanced. This is why it’s critical to get back to the basics, such as applying preventive security measures, hardening all sensitive platforms, and continuously monitoring them, to reduce the chances of getting breached. And while we’ve only examined one facet of the Solorigate breach and a single attack vector out of many, we should all take this opportunity to do what we can to contain the blast radius of such breaches, if and when they occur.

Check out how Adaptive Shield can help you protect your SaaS apps using continuous monitoring of their configurations.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.