4. Lean On Vulnerability Management, Pen Testing
SolarWinds will expand its vulnerability management program to reduce the company’s average time-to-patch and better enable the company to work with the external security community, according to Ramakrishna. The company also plans to perform extensive penetration testing on Orion and related products to identify any potential issues, which will be resolved with urgency, Ramakrishna said.
The New York Times reported Jan. 2 that common security practices were eschewed during the tenure of former CEO Thompson because of their expense. Some of the eschewed security measures may have put SolarWinds and its customers at greater risk for attack, according to The New York Times. SolarWinds declined to comment on the claims in the Times piece.
Specifically, the Times reported that under Thompson, SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the compromised Orion software. SolarWinds said the manipulation of Orion was done by human hackers rather than a computer program, but hasn’t addressed whether insiders were involved in the attack.