Home

What’s the top priority: securing your code or your infrastructure?

Given the focus that SolarWinds has created around code security and how people are looking at the supply chain, we’re always looking at solutions in that space because now everything is under a microscope. In terms of actual source code, we have internal controls in place from multiple people involved in the process before the code is deployed anywhere, so our risk is lower compared to other areas right now. There are best practices that you can implement that significantly reduce your risk. When I think about perimeter security, infrastructure security, cloud security, the things that I'm driving our portfolio companies to work on is to make sure they have two factor authentication and SSO integration, and that their identity management is in place so that they have AWS and Azure. You have all these different things going on, but you're managing access to those platforms through a workflow that can be managed. Then they need to make sure there's governance around it, because the biggest challenge is exceptions. There’s always a situation where someone needs to do this work because production is down but then no one goes back and looks at it.

Anonymous Author
Given the focus that SolarWinds has created around code security and how people are looking at the supply chain, we’re always looking at solutions in that space because now everything is under a microscope. In terms of actual source code, we have internal controls in place from multiple people involved in the process before the code is deployed anywhere, so our risk is lower compared to other areas right now. There are best practices that you can implement that significantly reduce your risk. When I think about perimeter security, infrastructure security, cloud security, the things that I'm driving our portfolio companies to work on is to make sure they have two factor authentication and SSO integration, and that their identity management is in place so that they have AWS and Azure. You have all these different things going on, but you're managing access to those platforms through a workflow that can be managed. Then they need to make sure there's governance around it, because the biggest challenge is exceptions. There’s always a situation where someone needs to do this work because production is down but then no one goes back and looks at it.
2 upvotes
Anonymous Author
These are not mutually exclusive. A code vulnerability can result in a compromise of your infrastructure. We prioritize our remediation efforts based on criticality of the vulnerability, availability of an exploit, whether something is publicly facing and what type of data it has.
2 upvotes
Anonymous Author
There are multiple solutions for both separately, but more and more people are trying to create a single solution set to solve both problems simultaneously.
1 upvotes
Anonymous Author
A stat about SNMP basic protocol that came up in my discussions with some fortune 10 companies really opened my eyes. The vulnerability that we've got in that protocol, across literally everything from building management systems to air conditioning, v1 and v2 exist everywhere. SNMPv3 is “theoretically” secure, but in reality it's completely hackable. And where do the target breeds come through? An HVAC system that got them in to compromise the other systems. Our grid today is all set up in that manner. They're using SNMPv3 “securely” and then our grid to the digital infrastructure, to all the other aspects. So there are the vectors just in applications on cloud, but you also have to think about how many holes are underneath.
0 upvotes