Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News & Articles

March 13, 2020 |

ConnectWise Announces Expanded Efforts to Strengthen Product Security

In conjunction with a “shift left” strategy launched earlier this year that seeks to build security earlier into software development, the company is ramping up threat modeling, rolling out automated tools, and introducing its first formal bug bounty program.

ConnectWise has expanded an initiative launched earlier this year aimed at building security controls more deeply into its product development process.

The new measures come amid a mounting wave of threat activity against MSPs and roughly two months after media reports about vulnerabilities in the ConnectWise Control remote access solution. Scheduled to roll out over the next few months, they include the introduction of automated tools and processes as well as the launch of a formal “bug bounty” program, the vendor’s first.

Those and other steps implemented since January of this year are part of a “shift left” strategy ConnectWise has adopted to build security considerations earlier into the software development process.

“Everything we’re doing here really is about improving existing controls, or adding new layers to our existing controls,” says Tom Greco, director of information security at ConnectWise. 

Among the new actions announced today are increased threat modeling at the earliest stages of product design, in an effort to expose potential ways that threat actors might use new features for malicious purposes.

“We’re expanding into development of abuse cases during our development lifecycle,” Greco says. “That allows us to turn those into test cases, so when we actually get to our software testing, we can integrate those with the functional tests to see if the software is in fact susceptible to any of those cases.”

Developers now use an automated tool during the coding process as well to spot possible vulnerabilities in real time. “It basically acts like a spellchecker for software development,” Greco explains. “As they’re literally typing code, it’ll identify if there are any potential weaknesses and give them guidance on how to fix it before the code even gets coded.”

The company is also enhancing the static testing it performs after code is completed, and checking the safety of third-party components like libraries more rigorously, Greco adds.

Further security-related changes include the introduction of automated configuration assessment and self-healing capabilities when software is deployed and used.

“We do configuration compliance checks on those systems and if anything is changed, we change it back,” Greco says. “I like to say as a security guy, ‘we don’t like the humans in there,’ because they tend to make mistakes.” 

Set to arrive midyear, the new bug bounty program will utilize tools and best practices from HackerOne, a bug bounty platform operator. Its goal will be to identify and eliminate weaknesses faster by putting “more eyes” on ConnectWise products.

“And it’s not just one set of eyes or two set of eyes,” Greco says. “It’s thousands of sets of eyes to focus on finding flaws or abuse cases, as it may be, in our software.”

ConnectWise plans to include information from bug reporters in a new series of security bulletins about software vulnerabilities set to start appearing on its Security Trust site in mid-April. “Folks will be able to subscribe to that and receive proactive notifications when new content is added,” Greco says.

Introduced in January, the Security Trust site is designed to serve as a central clearinghouse for information on incidents, alerts, and patches. It is one of many steps ConnectWise has taken this year to be more transparent about security issues, and to prevent issues from materializing in the first place.

Other measures in that campaign include the adoption of a new application security architecture based on the Application Security Verification Standard from the Open Web Application Security Project (OWASP), a non-profit software security foundation.

“It’s an extremely comprehensive multi-point architecture standard against which all of our products will be measured,” Greco says.

Developers now receive additional security training as well in secure coding practices, secure software design, and the fundamentals of threat modeling.

As ConnectWise CEO Jason Magee conveyed two months ago in an open letter to partners, the company has also recently passed an independent SOC Type 2 security audit.

Magee posted the letter shortly after security researchers at Bishop Fox reported eight vulnerabilities in ConnectWise Control, which were subsequently validated by threat hunting vendor Huntress Labs. Today, according to Greco, security is among the vendor’s top considerations during product design, development, and delivery.

“It’s on an equal level with both UI and functionality,” he says, adding that the company draws heavily on threat modeling analysis to balance those sometimes conflicting priorities.

“That then allows our leadership to make an informed decision on those priorities,” Greco says. “If it’s something that’s a high risk that we can’t mitigate, then it stays a top priority. If it’s something that we can mitigate and bring down to an acceptable level of risk, then certainly that helps make that prioritization.”

ConnectWise is working to strengthen the security posture of its partners as well. Multifactor authentication is now mandatory on ConnectWise Control and the ConnectWise Automate RMM solution, and will be enforced on the ConnectWise Manage PSA product in the future as well. The company has also rolled out an expanded lineup of training and enablement programs or MSPs on security-related topics.

“That could be anything from protecting themselves against social engineering and malware to having a good backup and recovery strategy, as well as incident response capability,” Greco says.

In conjunction with an internal reorganization following ConnectWise’s acquisition of one-time competitor Continuum last October, Greco’s team is now part of the vendor’s engineering organization, and reports to CTO Steve Cochran. 

“I have folks who are assigned to the different security functions that we provide, and we execute those functions across all the product sets,” Greco says. His group also oversees security specialists embedded directly within ConnectWise product groups.

Publicizing measures like those unveiled today is part of a broader effort by ConnectWise to establish itself among MSPs as a trustworthy software maker. “We’re looking to build our security brand, as one of our key strategies is security,” Greco says.

Indeed, ConnectWise founder Arnie Bellini showcased that strategy at the ConnectWise IT Nation event in 2018. A year later, at the 2019 IT Nation Connect conference, company executives outlined an ambitious effort to fight back against cybercrime through an independent, non-profit technology solution provider-information sharing and analysis organization (TSP-ISAO). 

According to Greco, the security steps announced today are just the latest manifestation of what will be a continuous effort. “There’s always something new that you can learn. There’s always something that you might’ve missed,” he says. “I will never be at any comfort level that I want to be at, however, the more improvement I do, the more comfortable I get.”

Related News & Articles

Growing the MSP

Editor’s Choice


Explore ChannelPro

Events

Reach Our Audience