ConnectWise Announces Improvements To Its Security Stance With A “Shift Left” Strategy

Leading provider of business automation software for technology solution providers, ConnectWise has announced it’s implementing a "shift left" strategy to strengthen its security. These new measures arrive just two months after extensive media scrutiny about vulnerabilities in ConnectWise Control, its remote access solution. This is in addition to the company experiencing a mounting wave of threat activity against managed service providers (MSPs).

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

“With the current cybersecurity threat landscape in our industry, everyone is a target. Hundreds of software providers, thousands of MSPs, and the millions of SMBs those MSPs support are all at risk,” said Jason Magee, the company’s chief executive officer. “That means that all of us have a part to play in combating those threats – and that includes ConnectWise. We take trust and transparency seriously, and it’s important that our partners understand the steps we are taking to push them and the entire industry as a whole to be more secure.”

ConnectWise is using a three-pronged approach to bolster its cybersecurity efforts: a “shift left” in software development cycles, independent third party testing, and a commitment to transparency.

The "shift left strategy" will see the company strengthen threat modelling as well as abuse case development, increase automated testing coverage while tightening its integration between security and code delivery systems.

Set to arrive by mid-2020, the company is also introducing a formal Bug Bounty program which will utilize tools and best practices from HackerOne, a bug bounty platform operator. This will be used to identify and eradicate weaknesses more efficiently by putting “multitudes of individual testers” on its products. Users can already report bugs to the ConnectWise Bug Report Portal. Notably, using a similar program Intel was able to discover the L1 terminal fault in 2018.

Its final method to strengthen security will be transparency, which it hopes will build trust in the wider MSP community. This will utilize the company's Security And Trust portal, which enables ConnectWise to share information regarding security, compliance, privacy, and business continuity. Here, it published its most recent announcement regarding its response to the COVID-19 outbreak.

The company first announced it would be overhauling its security measures in January, when CEO Magee published an open letter responding to the eight vulnerabilities discovered in ConnectWise Control. Magee addressed all eight issues exposed by security consultancy Bishop Fox.

This is why this announcement has been lauded by experts who note a newfound maturity from the company and their reinvigorated approach towards security.