Investors are seeking damages with the aim of reforming the company's policies on cybersecurity oversight. The SolarWinds attack is a wake-up call for CIOs, showing how critical it is that companies create and maintain effective code review and code signing processes.
SolarWinds investors have sued the company's directors, claiming that the SolarWinds knew about and failed to monitor cybersecurity risks ahead of a breach, according to Reuters.
The lawsuit names current and former directors as defendants, according to the report. Beginning in September 2019, a campaign of cyberattacks, now attributed to the Russian Foreign Intelligence Service, breached SolarWinds — a Texas-based network management software company. The threat actor injected malicious code into a file that was later included in SolarWinds’ Orion software updates, which were released to approximately 18,000 customers. The threat actor then targeted “a subset of high-value customers,” including the federal government.
This puts CIOs and CISOs in the hot seat as the burden of cybersecurity falls squarely on their shoulders. Eddie Glenn, Senior Manager Product Marketing at Venafi, warned about the risk that many CISOs and CIOs “may not be thinking about but should be…Hint: the hidden villain is insecure codes signing.”
“A typical Global 5000 company likely has thousands, or tens of thousands of software developers spread around the globe…To use code signing, all of these teams need access to private code signing keys. And when that happens, the keys often get stored on developers’ laptops, build servers, or web update servers and thus become vulnerable to theft or misuse,” Glenn wrote in April of 2020.
While the exact cause of this data breach is yet unknown, it is entirely possible that this could have been prevented there had been code signed artifacts throughout the code development process. These processes are extremely difficult for even the most competent team to manage manually. This is why automation is the best solution to secure every aspect of your network’s machine identities, from code signing to SSH and TLS certificate management.
Venafi CodeSign Protect offers quick and secure enterprise-grade code signing that your developers will feel confident relying. Secure your private keys from threat actors, gain full visibility into all code signing activity on your network, and improve efficiency and policy enforcement across the board with automation.