ConnectWise has expanded an initiative launched earlier this year aimed at building security controls more deeply into its product development process.
The new measures come amid a mounting wave of threat activity against MSPs and roughly two months after media reports about vulnerabilities in the ConnectWise Control remote access solution. Scheduled to roll out over the next few months, they include the introduction of automated tools and processes as well as the launch of a formal “bug bounty” program, the vendor’s first.
Those and other steps implemented since January of this year are part of a “shift left” strategy ConnectWise has adopted to build security considerations earlier into the software development process.
“Everything we’re doing here really is about improving existing controls, or adding new layers to our existing controls,” says Tom Greco, director of information security at ConnectWise.
Among the new actions announced today are increased threat modeling at the earliest stages of product design, in an effort to expose potential ways that threat actors might use new features for malicious purposes.
“We’re expanding into development of abuse cases during our development lifecycle,” Greco says. “That allows us to turn those into test cases, so when we actually get to our software testing, we can integrate those with the functional tests to see if the software is in fact susceptible to any of those cases.”
Developers now use an automated tool during the coding process as well to spot possible vulnerabilities in real time. “It basically acts like a spellchecker for software development,” Greco explains. “As they’re literally typing code, it’ll identify if there are any potential weaknesses and give them guidance on how to fix it before the code even gets coded.”
The company is also enhancing the static testing it performs after code is completed, and checking the safety of third-party components like libraries more rigorously, Greco adds.
Further security-related changes include the introduction of automated configuration assessment and self-healing capabilities when software is deployed and used.
“We do configuration compliance checks on those systems and if anything is changed, we change it back,” Greco says. “I like to say as a security guy, ‘we don’t like the humans in there,’ because they tend to make mistakes.”
Set to arrive midyear, the new bug bounty program will utilize tools and best practices from HackerOne, a bug bounty platform operator. Its goal will be to identify and eliminate weaknesses faster by putting “more eyes” on ConnectWise products.
“And it’s not just one set of eyes or two set of eyes,” Greco says. “It’s thousands of sets of eyes to focus on finding flaws or abuse cases, as it may be, in our software.”
ConnectWise plans to include information from bug reporters in a new series of security bulletins about software vulnerabilities set to start appearing on its Security Trust site in mid-April. “Folks will be able to subscribe to that and receive proactive notifications when new content is added,” Greco says.
Introduced in January, the Security Trust site is designed to serve as a central clearinghouse for information on incidents, alerts, and patches. It is one of many steps ConnectWise has taken this year to be more transparent about security issues, and to prevent issues from materializing in the first place.