After the recent cyberattack on SolarWinds, so many companies are investigating whether any of their suppliers (we included) are affected by this incident.
SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems. - https://cyber.dhs.gov/ed/21-01/
Q. Does Secure Code Warrior® use the SolarWinds Orion software?
Q. Has Secure Code Warrior® implemented the recommended countermeasures in response to the FireEye Red Team tool breach?
A. No. Please note that the tooling is primarily helping with windows/Microsoft targets, and we don't run any in our networks.
Q. What is Secure Code Warrior's approach to continued code review to ensure, to the largest extent possible, that malicious code is not included in the company’s codebase?
A. We employ a number of best practices, including:
- Code security training of all staff cutting code
- Mandatory source code review
- Logging of commits and changes via source control
- Automated Static Application Security Testing (SAST)
- Regular penetration testing
- Vulnerability scanning of all third-party libraries
- Vulnerability scanning of all production containers
- All deployments go through an automation pipeline that enforces security and quality assurance
Q. What is Secure Code Warrior's policy with respect to identifying and mitigating product and network security vulnerabilities?
A. In addition to following the above-mentioned practices, all outputs (e.g., findings) from security testing activities are assessed and prioritised by a dedicated security team who then raise and track work assignments (with attached SLAs) with product and engineering teams.