ConnectWise today revealed a series of DevSecOps initiatives it has undertaken to better secure a platform that has increasingly come under attack as cybercriminals continue to target managed service providers (MSPs).
The goal is to reassure MSPs that ConnectWise is putting in place a layer of additional cybersecurity controls while at the same time educating its application developers on how to build more secure applications, says Tom Greco, director of information security for ConnectWise.
As part of that effort, ConnectWise is embracing cybersecurity methodologies as defined by Open Web Application Security Project (OWASP) and has launched a bug bounty program through which it will provide incentives and rewards to cybersecurity researchers that discover cybersecurity flaws in its software. Much of the current concern over the cybersecurity resiliency of MSP platforms stems from recent research conducted by Huntress Labs and a bevy of targeted cybersecurity attacks against MSPs that have resulted in end customers being breached. Not surprisingly, many end customers are questioning to what degree they can rely on MSPs to manage and secure their IT environments.
ConnectWise is also committing to soon providing security bulletins communicate alerts, product vulnerabilities, critical patches and updates as part of an effort to create a channel for the responsible disclosure of vulnerabilities. The company also plans to identify scenarios where its software can be attacked and abused to help MSPs better lock down their environments, added Greco.
Finally. Greco notes ConnectWise also just achieved SOC-2 certification for the data centers it uses to provide MSPs with access to its remote monitoring and management (RMM) software and professional services automation (PSA) platform.
In meantime, ConnectWise is working toward modernizing its applications by embracing DevSecOps processes as it transitions to a microservices-based application architecture built mainly using containers that are fundamentally more secure and easier to update, said Greco. It will take time, however, for that transition to occur.
“That’s not something that can happen overnight,” says Greco.
Like most application providers today, ConnectWise employs monolithic applications that are more challenging to update and patch. ConnectWise is in the process of determining which modules to rewrite as part of a general “shift left” in terms of how it approaches cybersecurity. That shift places more responsibility for security on the shoulders of application developers.
It will be a while before the current crisis of confidence in MSP cybersecurity subsides. However, it’s worth remembering that by and large most MSPs still have a lot more cybersecurity expertise at their disposal than any IT organization that may decide to go it alone.
Be First to Comment