ConnectWise has continued to invest in the security space. It has now announced a new set of actions that it is undertaking to improve its own security stance. It is adopting a “shift left” policy to identify bugs in its own code earlier in the development cycle.
Jason Magee, CEO, ConnectWise commented: “With the current cybersecurity threat landscape in our industry, everyone is a target. Hundreds of software providers, thousands of MSPs, and the millions of SMBs those MSPs support are all at risk. That means that all of us have a part to play in combating those threats – and that includes ConnectWise. We take trust and transparency seriously, and it’s important that our partners understand the steps we are taking to push them and the entire industry as a whole to be more secure.”
In its announcement ConnectWise highlighted a three pronged approach:
- “Shift Left” in Software Development Cycle.
- Independent Third-Party Testing.
- Commitment to Transparency.
As part of its “shift left” strategy it is carrying out the following improvements to its SDLC:
- Strengthening threat modeling and abuse case development.
- Increasing automated testing coverage.
- Tighter integration between security and code delivery pipelines.
Independent third party testing
ConnectWise emphasized that it already uses third party companies for security assessment and penetration tests. It will now extend this by starting a Bug Bounty program, opening it up to individual testers.
Details on the Bug Bounty program do not seem to be available yet though. However users can report bugs to the ConnectWise Bug Report Portal. Depending upon the rewards that ConnectWise offers for finding security bugs, this is a proven method of helping to secure software. Intel discovered the L1 terminal fault through just such a program in 2018.
Transparency helps to build trust with partners and the wider MSP community. ConnectWise launched a Security and Trust site in January as a portal which enables it to share its latest information about four key topics:
- Business Continuity
The site publishes recent relevant statements around these topics. Most notably its current stance on COVID-19. It also revealed that it carried out business continuity drills with staff in Mumbai, Pune and the US. This involved support staff working from home as it tested the likely scenario that many companies will face as people are told to self-isolate.
The statement was transparent in that it noted these home workers would use their own mobile phones to make any outbound calls. ConnectWise may need to revisit this approach due to the cost. However, implementing a home based VOIP solution may have its own challenges, notably with bandwidth.
It is looking to further enhance the site with a security bulletins section that will communicate:
- Security alerts.
- Product vulnerabilities.
- Critical patches.
Additionally, ConnectWise partners can opt to receive proactive updates of notifications. It will also add a communication channel to enable responsible disclosure of vulnerabilities. This will be the medium by which security bugs can be logged and will be the first stage of the bug bounty program.
Enterprise Times: What does this mean
The announcement by ConnectWise demonstrates a maturity from a company towards security that seems comprehensive. It is slightly disappointing that information regarding the Bug Bounty is not yet available.
The company first announced that it would take this approach in January when Magee published an open letter in response to security consultancy Bishop Fox discovering eight potential vulnerabilities in ConnectWise Control. He addressed the resolutions to all eight findings in a transparent and rapid way that one should expect of a software company. Unfortunately that is not always the case, so it is refreshing that ConnectWise reacted quickly and effectively.
ConnectWise engaged with GuidePoint Security LLC to validate its fixes and also consulted with Bishop Fox and Huntress Labs during its resolution process. Kyle Hanslovan, CEO of Huntress Labs noted: “Bugs happen. And it’s not about when bugs happen, but it’s about what you do when they happen. We were happy to work with CRN earlier this week to confirm that ConnectWise had already patched 6 of the 8 items found. I think three things matter in this scenario: Were the bugs acknowledged, were the bugs fixed and was the company passionate about fixing them for the right reasons? I think ConnectWise came through on all three things, and after our positive conversation on January 23, we’re excited about continuing to work with ConnectWise and other vendors for the benefit of the channel as a whole.”
ConnectWise, even in these challenging times has continued to move its security processes forward. Something that will assure its many partners/customers.