Three Things to consider about this Solar Winds Hack
BUF: The software package was too big to fail. To many security fences provided by one vendor. Break it up or source the software differently.
Bullet 1) The note on Solar Winds stock drop. Keeping the stock competive has probably been cause for Lean Sig Sigma being applied to the Coders and Compliance Branches processes.
Bullet 2) Coders not filing their Test Compliance Reports (TPS) and generally showing poor coding practices. Think Boeing and their Space Capsule. Dynamic Link Libraries (DLL) are god’s gift to the coder. You just add a Library and call it fixed. It is'nt really a Box set program review. Dynamic Link Libraries are just a repository for actions in the as built program. I bet you a dollar to a doughnut the library has been creeping in size instead of a whole code rebuild.
Bullet 3) Compliance is in charge of the code base validation and integrity processes. One part of Validation is certificates for the code. Probably just a fancy word for an MD5 hash of the DLL that was recompiled and added into the check of the entire module’s MD5 Hash. The integrity is real gritty stuff when you are using a modification / monitoring tool like Solar winds. What are the compliance metrics being checked. I’d be interested to see the work breakdown statement on the compliance portion. IMO I’d check my Remedy for the audits after checking its integrity.
Jeesh