ConnectWise improves and adds to security controls throughout software development lifecycle

ConnectWise is making enhancements both to the software development lifecycle, and adding new vulnerability testing capability and security bulletins as well.

Tom Greco, ConnectWise’s Director of Information Security

Business automation software vendor ConnectWise has announced further steps in its efforts to make their MSP partner community more secure. These enhancements take two forms. They strengthen security and processes earlier in their software development lifecycle. They are also adding new layers of controls for much later in the lifecycle, with the addition of a formal Bug Bounty program and new security bulletin additions to their recently launched Trust site.

These enhancements continue ConnectWise’s recent deep focus on the security space, which was the main focus of their IT Explore event last year, and which they continue to expand with new initiatives.

“This is about improving existing controls and adding new layers of protection,” said Tom Greco, ConnectWise’s Director of Information Security. “We have just achieved the SOC 2 Type 2 certification, an independent audit of about 170 controls. That’s a good baseline, but we are always looking to improve.”

The focus here on the application development process is part of ConnectWise’s “Shift Left” strategy – meaning implementing security testing and processes to the left, or earlier, in the software development lifecycle, in order to find and prevent issues as early as possible.

“The whole idea around of ‘Shift Left’ is making those controls better,” Greco said. “It’s always a priority for us. Application security is a key element of our strategy.”

The changes here include enhancements to secure-by-design practices, including threat modeling and abuse case development, increased automated testing coverage, and tighter integration between security and code delivery pipelines.

“With RMMs, the issue is not that our products are vulnerable but that they are capable, so people can use their functionality for malicious intent, by thinking of ways to abuse the intended functionality,” Greco said. “So we think about this ourselves in our threat modelling so we can incorporate it into our functionality.

“We have significantly increased the breadth and depth of our development security curriculum, branching into secure coding practices, application design and even the fundamentals of threat modelling,” he stated.

“Further right in the development lifecycle, in the build phase, we now have tools for developers that act like spellcheckers for security,” Greco added. “As developers write code, these tools provide guidance on how to avoid security issues.”

Changes also bring new automation to the most rightward parts of the development lifecycle.

“At the end of that, in the deploy and operate phase, we can increase the capability to apply hardening standards in automated fashion,” Greco indicated. “This effectively lets us take the humans out, as they are the weakest link. We are automating that process more to apply security hardening standards and introduce automated healing capabilities.”

Greco said that while all these things improve the software development lifecycle, ConnectWise is also adding new layers of controls as well.

“This is where Bug Bounty comes in,” he stated. “We are engaging HackerOne, a bug bounty service provider. They maintain a pool of hackers and give them access to our platforms. That provides us with a continuous vulnerability assessment of our products. It’s like an extra 100,000 eyes to see things we may not have thought of.”

The final elements of developer integration are taking place with Bug Bounty, and it is expected to be available later in Q2..

The expansion of the ConnectWise Security Trust site, which the company launched in January, is another component of this strategy. It was designed to be a primary source of information on security incidents, relevant alerts, critical patches and product updates

“We are gong to implement a security bulletins capability where we can announce vulnerabilities and do that in a way that MSPs can subscribe to,” Greco said. “Those vulnerability disclosures will follow an industry timeline, and we will address them within industry standard timeframes.”

Greco indicated that the security bulletins will be coming in mid-April, as  as there is also some remaining development integration work to do with them as well.