TechTarget published an article following the SolarWinds breach, 5 Cybersecurity Lessons from the SolarWinds Breach. In the article, TechTarget included a section about the importance of requiring penetration testing for third-party service providers. BreachLock’s founder & CEO, Seemant Sehgal offered his input to the author, Sandra Gittlen, which was also included in the article.
What happened with the SolarWinds Breach?
To apply some context to the well-known SolarWinds breach, despite the attacks beginning as early as 2019, the breach wasn’t discovered until the end of 2020. Hackers exploited a plethora of high-profile organizations through SolarWinds’ Orion software, which contained a trojan component that enabled remote access. This trojan horse allowed hackers to infect all of SolarWinds’ customers’ systems remotely. Among the almost 20,000 organizations that were impacted by the SolarWinds breach, some of the most notable were U.S. government entities, including the U.S. Treasury and Department of Homeland Security in addition to most of the Fortune 500. After further investigation, the attacks have been attributed to the Russian hacking group recognized as APT29. The attack was highly sophisticated, but in hindsight, could have been prevented if proper testing procedures had been in place
Analysis of the SolarWinds Breach from a Global Pen Testing Leader
In TechTarget’s article, Sehgal commented on the importance of organizations holding themselves accountable for ensuring that their third-party service providers maintain a strong security posture. He tells TechTarget that companies must show integrity by holding their service providers responsible for ensuring that the software they choose to incorporate into their business’ network is secure. Specifically, Sehgal stated, “If you, as an enterprise, aren’t watching what you are introducing in terms of software code or service provider applications, you are leaving yourself vulnerable to a hack like SolarWinds.”
To add to Sehgal’s statement, it’s common for businesses to require their software vendors to provide third-party validation of their security posture, but it’s often viewed as a checkbox exercise to fulfill a requirement that isn’t taken as seriously as it should be. Offering one viable solution to decrease the risk associated with working with outside software vendors, he added that all software purchases should be centralized to ensure that the proper testing and validation procedures are followed across the board.
How Pen Testing Could Have Prevented the SolarWinds Breach
In Section 2 of TechTarget’s article, “Test your Vendors’ Software for Vulnerabilities”, Sehgal elaborates on how pen testing could have prevented SolarWinds from being exploited by hackers. He brings an interesting point to light, highlighting that offensive security testing procedures like automated code review, while somewhat useful, are sometimes unable to detect “unknown unknowns.” Since the SolarWinds breaches leveraged an injection that looked like a normal component of sequence code that wasn’t detected by automated code reviews, this vulnerability went unknown for months. This is a vulnerability that would have been discovered had they properly pen tested the code to reveal the malicious activities that it was enabling. Sehgal added, “if a cyber threat materializes, you are on the hook because you had a step missing. That step – a hybrid approach where automated security checks are complemented by a human-led pen test – could have potentially detected the vulnerability and limited the damage.”
Modern Pen Testing to Find and Fix Your Next Cyber Breach
Pen testing is far more accessible, fast, and affordable than it was prior to being modernized. Traditionally, pen testing was done in a consultancy-based approach that was performed 100% manually by human penetration testers. In recent years, a new way of penetration testing has been introduced by innovative providers in the pentesting space – Pen Testing as a Service (PTaaS).
BreachLock, for example, accelerates pen testing by 50% and reduces TCO by 50% by leveraging a human-led, AI-enabled hybrid approach. Certified human pentesters (OSCP, OSCE, CREST, GSNA, CISSP, CEH) are able to perform a manual deep dive on our clients’ systems while known and easy-to-find vulnerabilities are discovered through automation, and mundane reporting tasks are offloaded onto AI. While BreachLock offers downloadable, comprehensive, audit-ready pen testing reports, we also deliver detailed, evidence-backed, actionable results through our award-winning client portal to help your team remediate quickly with prioritized actions and DevOps workflow integrations with Jira, Slack, and Trello.
Contact us today to join our 700+ clients in improving their cyber resiliency and validating their security posture for vendor assessments and compliance (SOC 2, PCI DSS, ISO 27001, HIPAA, GDPR) faster than ever and staying within their budget. With BreachLock, reaching your security goals is much simpler than you’re used to.