- SolarWinds is setting up new standards for securing its software build cycle and adopting reproducible builds to weed out disparities in binary code, said Lee McClendon, SVP of research and development at SolarWinds, during a webcast Tuesday. A reproducible build is the ability to reproduce an error to better understand it.
- In a reproducible build, "if you do a build of a certain set of source code, and you get another build of that source code, those two outputs will be byte by byte compatible, meaning equivalent output from both of those," said McClendon. To achieve a reproducible build, companies will likely have to revisit how they manage versioning and dependencies.
- An attacker would have to compromise two different environments to achieve the same attack on the same code. "It would take an attacker double the effort," said Caleb Queern, director of KPMG Cyber Security Services, during the webcast. "It's impractical for most attackers most of the time."
Overhauling the software build cycle is overwhelming, and knowing where to start is part of the challenge. Prioritizing security initiatives starts with cybersecurity basics:
- Understanding assets and where they're stored
- Knowing who can access those assets and how they do it
For some organizations, updating the security of their build process is not a priority, or it can at least wait until the next round of security investments. For others, software makers "don't have the luxury of saying 'This was a surprise,'" said Queern.
A reproducible build gives companies insights into the final output of source code, regardless of where it's stored — whether a build takes place in the cloud by a service provider or in a data center. People want and need to be able to see unauthorized adjustments in the build pipeline, though it does take a significant amount of engineering to achieve reproducible builds, according to Queern.
Code manipulation that takes place in generated binaries, as opposed to the primary source code, are more difficult to find before they become destructive. Having more than one route of verification "offers comfort to front-liners," so they don't fall to a threat, according to the Reproducible Builds project.
"Almost all software today is not reproducible," wrote David Wheeler, director of open source supply chain security at The Linux Foundation, in a January blog. The shift to this security addition "will not be easy."
While an important piece of a secure software build cycle, reproducibility falls behind other priorities of major software producers, though critical software-makers will adopt reproducibility first. Closed source software will take longer to adjust to reproducible builds compared to open source because the code is intentionally hidden, according to Wheeler.
The SolarWinds Orion compromise has spurred a renewed focus on reproducibility. During the SolarWinds hack, Sunburst malware was injected into the build process right before compilation; the source code was never manipulated.
The varying authentication mechanisms between where the builds are allows companies to have their release build coupled with one or more validation builds. Separated and multiple pipelines provide "different security contexts that you can compare," said McClendon. "And if they don't all match, it means there was a problem somewhere along the way that you need to investigate."