Introduction
SolarWinds provides a suite of solutions relied on by more than 300,000 businesses around the world to manage, monitor, and secure their IT environments. While uncompromising security has always been a core tenet of the organization, the 2021 introduction of its “Secure by Design” program launched the company to the forefront of a new era in secure software development.
At the center of this initiative is a tight partnership between longtime SolarWinds CISO, Tim Brown and its VP of Engineering, Paul Gray. This is the story of how Cortex helped to further unite the security and engineering teams to ensure the reliability of the company’s latest product offering.
The Secure by Design Initiative
Immediately following the 2021 SUNBURST cyberattack, SolarWinds created a new model designed to bolster the security and provenance of its solutions. “The skills you need before an incident are very different from the skills you need after an incident,” says Tim. “You have to get better and, in doing so, help others get better. That’s what we’re doing with the Secure by Design Initiative.”
Focused on people, infrastructure, and software development, the SolarWinds Secure by Design initiative is designed to enhance the strength of the company’s security framework and set a new industry standard for secure software development. Informed by years of experience from leading cybersecurity experts, Secure by Design was developed with the intention of making SolarWinds a trusted leader in enterprise software security.
As VP of Engineering, the role Paul plays in this initiative is far-reaching but is heavily anchored in ensuring the reliability of the company’s software build pipelines. As the team prepared to launch a new product—SolarWinds Observability—it was critical to both Paul and Tim to ensure the entire SaaS portfolio software supply chain was secure. They turned to Cortex to help.
Why SolarWinds chose Cortex
Two principles of the Secure by Design initiative deal with improving visibility:
- Improve overall security through transparency
- Increase efforts to gain more visibility into systems and processes
While SolarWinds has a number of observability and monitoring tools to support both, Paul was keen on not just understanding the current state, but improving it—and doing so as quickly and efficiently as possible.
“We were looking for a service catalog, but wanted to go beyond just understanding contents and ownership—we wanted to actively drive improvement and enforcement of best practices.” Paul continues, “We first looked at Backstage [Spotify’s open-source IDP] but did the math on how long it would take us to build our own front-end experiences, reporting, and integrations to our build pipeline and top tooling. We realized just getting set up would take a full-time engineer six months. We chose Cortex because it provided all the logical defaults we needed to get going quickly, with the ability to customize where needed. Out-of-the-box scorecarding and reporting also meant we could quickly set and verify best practices, pinpoint issues, and proactively address even minor divergences.”
Tim adds, “Cortex helps unite our organization in defining cross-cutting standards of excellence. We plan to share our learnings about best practices here to help the whole community reach new levels of software maturity, security, and reliability.”
Within just a few weeks, SolarWinds fully integrated its SaaS software supply chain with Cortex, making it easy for the entire organization to gain visibility and set standards for the security and maturity posture of all SolarWinds Observability services.
Setting expectations of excellence
SolarWinds used Cortex’s out-of-the-box integrations to deliver comprehensive security and maturity scorecards for 96 services that make up SolarWinds Observability. Paul shares, “We have five platform teams, seven application teams, and fifteen embedded SREs. Cortex helps us come together to codify software deployment requirements, including end-to-end testing, code coverage, and integration with security and monitoring tools.”
He continues, “Using Cortex to provide standards to SolarWinds Observability developers has minimized performance and quality issues, increasing the overall reliability of the SolarWinds Observability product. Services that do not meet our scoring criteria can’t be released to production.”
The SolarWinds Security Scorecard
Leveraging Cortex’s integrations to SolarWinds SDLC tooling, including AWS Inspector, Mend, Jira, and Checkmarx, SolarWinds was able to easily create a service scoring rubric that considers the quantity and severity (CVSS) of any vulnerabilities found within production services. Since launching this scorecard, 96 services have achieved minimum security standards—a testament to the team’s already extremely high bar for development practices.
The SolarWinds Maturity Scorecard
SolarWinds has also launched a maturity scorecard for SolarWinds Observability services leveraging additional out-of-the-box integrations to evaluate gamedays, runbooks, service guides, readiness probes, liveness probes, and proper Kubernetes resource configurations. The team’s Maturity Scorecard already has an impressive rate of attainment, with a 100% median score across 96 services. Paul adds of the team’s accomplishment, “Scorecards can help pinpoint issues and drive urgency, but they’re also useful for acknowledging the team’s hard work before measurement even begins.”’
What’s next for SolarWinds
SolarWinds plans to continue using Cortex scorecards to further increase the security and reliability of the SolarWinds Observability platform and sharing their learnings and best practices with other groups both inside and outside the organization.
The team has also begun adding Scorecards to their CI flow. “This scorecard concept has proven so valuable that we are in the process of fully automating it as part of our continuous distribution flow within CircleCI.”
To learn more about how Cortex can help you build a culture of continuous improvement, check out our website, or book some time with our team of experts.
