Other measures in that campaign include the adoption of a new application security architecture based on the Application Security Verification Standard from the Open Web Application Security Project (OWASP), a non-profit software security foundation.
“It’s an extremely comprehensive multi-point architecture standard against which all of our products will be measured,” Greco says.
Developers now receive additional security training as well in secure coding practices, secure software design, and the fundamentals of threat modeling.
As ConnectWise CEO Jason Magee conveyed two months ago in an open letter to partners, the company has also recently passed an independent SOC Type 2 security audit.
Magee posted the letter shortly after security researchers at Bishop Fox reported eight vulnerabilities in ConnectWise Control, which were subsequently validated by threat hunting vendor Huntress Labs. Today, according to Greco, security is among the vendor’s top considerations during product design, development, and delivery.
“It’s on an equal level with both UI and functionality,” he says, adding that the company draws heavily on threat modeling analysis to balance those sometimes conflicting priorities.
“That then allows our leadership to make an informed decision on those priorities,” Greco says. “If it’s something that’s a high risk that we can’t mitigate, then it stays a top priority. If it’s something that we can mitigate and bring down to an acceptable level of risk, then certainly that helps make that prioritization.”
ConnectWise is working to strengthen the security posture of its partners as well. Multifactor authentication is now mandatory on ConnectWise Control and the ConnectWise Automate RMM solution, and will be enforced on the ConnectWise Manage PSA product in the future as well. The company has also rolled out an expanded lineup of training and enablement programs or MSPs on security-related topics.
“That could be anything from protecting themselves against social engineering and malware to having a good backup and recovery strategy, as well as incident response capability,” Greco says.
In conjunction with an internal reorganization following ConnectWise’s acquisition of one-time competitor Continuum last October, Greco’s team is now part of the vendor’s engineering organization, and reports to CTO Steve Cochran.
“I have folks who are assigned to the different security functions that we provide, and we execute those functions across all the product sets,” Greco says. His group also oversees security specialists embedded directly within ConnectWise product groups.
Publicizing measures like those unveiled today is part of a broader effort by ConnectWise to establish itself among MSPs as a trustworthy software maker. “We’re looking to build our security brand, as one of our key strategies is security,” Greco says.
Indeed, ConnectWise founder Arnie Bellini showcased that strategy at the ConnectWise IT Nation event in 2018. A year later, at the 2019 IT Nation Connect conference, company executives outlined an ambitious effort to fight back against cybercrime through an independent, non-profit technology solution provider-information sharing and analysis organization (TSP-ISAO).
According to Greco, the security steps announced today are just the latest manifestation of what will be a continuous effort. “There’s always something new that you can learn. There’s always something that you might’ve missed,” he says. “I will never be at any comfort level that I want to be at, however, the more improvement I do, the more comfortable I get.”