ConnectWise has considerable clout in the MSP software market. But for the past year or so, I've worried the company has focused too much on cybersecurity sales, and too little on cybersecurity procedures.
But today, the company outlined some major steps that helped me to believe ConnectWise is serious about hardening its code base, and more effectively communicating security issues to partners.
First, some background: Amid continued ransomware and hacker attacks against MSPs, my concerns about the overall MSP software market reached a boiling point in October 2019 -- when I pleaded for the overall industry to "stop preaching, and start practicing" proper cybersecurity. I also worried that private equity investors might be putting business growth priorities ahead of proper cyber practices across the MSP software market.
ConnectWise: Signs of Progress
Fast forward to present day. I think the overall MSP software market is making progress. Basic steps such as two-factor authentication (2FA) or multi-factor authentication (MFA) increasingly are the norm. And there are also signs of real progress at ConnectWise.
For me, the evidence emerged yesterday (March 12) during a wide-ranging ChannelE2E interview with Tom Greco, ConnectWise's director of information security. Much of what Greco told me surfaced in a formal announcement from the company today (March 13).
SOC2 Compliance and More: ConnectWise's journey toward more secure code didn't happen overnight. Greco has been on-board since around the time Thoma Bravo acquired ConnectWise in early 2019, I believe.
Key steps in the past year include the vast majority of ConnectWise and Continuum software platforms earning SOC 2 Compliance via third-party independent audits. (Newer offerings like ConnectWise IT Boost are pursuing that compliance recognition now, he says.)
Still, ConnectWise's overall path toward improved security involves at least three other steps, Greco says. They include:
Implementing security testing and processes earlier in the software development lifecycle -- a so-called “shift left” effort.
Complementing existing third party testing with a formal ConnectWise Bug Bounty program.
Adding additional information to the ConnectWise Trust site -- including documented vulnerability alerts and associated patches and fixes.
ConnectWise CEO Weighs In
Admittedly, skeptics may ask, "Why weren't all these steps in place sooner?" I'll note that the MSP market mostly grew up in a bootstrapped, entrepreneurial way. It's only the past few years that private equity has stepped in to take numerous MSP software companies to the next, more mature business level.
In a follow-up prepared statement from ConnectWise CEO Jason Magee today, he said:
“With the current cybersecurity threat landscape in our industry, everyone is a target. Hundreds of software providers, thousands of MSPs, and the millions of SMBs those MSPs support are all at risk. That means that all of us have a part to play in combating those threats – and that includes ConnectWise. We take trust and transparency seriously, and it’s important that our partners understand the steps we are taking to push them and the entire industry as a whole to be more secure.”
ConnectWise: Three Key Security Moves
But what does that mean in terms of ConnectWise's day-to-day software development, code maintenance, and communication practices? Here are key areas to watch, Greco says:
- Shift Left: Greco says the shift-left strategy includes enhancements to "secure-by-design practices." Steps like threat modeling and abuse case development, increased automated testing coverage, and tighter integration between security and code delivery pipelines are now in place, the company says.
- Bug Bounty Program: ConnectWise continues to engage third parties for security assessment and penetration tests. Next up is a formal Bug Bounty program -- which involves a partnership with HackerOne. That firm will unleash a community of hackers against ConnectWise's code -- essentially providing continuous security assessments,
- Clearly Disclosed and Documented Security Vulnerabilities and Fixes: The ConnectWise Trust site, I've argued privately, contains too much marketing information and too little vulnerability patch information. That's about to change -- again, for the better. Over time, it will also include a security bulletins section to communicate security alerts, product vulnerabilities, critical patches and updates with the ability to subscribe for proactive notifications, the company says. It will also support the company’s vulnerability disclosure efforts by providing a channel for responsible disclosure of vulnerabilities. Those are welcome steps.
ConnectWise is also looking up into the enterprise technology market for security best practices. The company's security disclosures, for instance, will be modeled after proven approaches from ServiceNow and IBM, Greco says.
The Bottom Line
No doubt, MSP software remains a prime target for ransomware and hacker attacks. All MSP platforms are targets. ConnectWise certainly is a target. And the company will certainly suffer security incidents in the future. That's just the nature of the software market.
Assuming ConnectWise lives up to the mandates above, the company's partner base should be far more informed -- and ready to take action -- when such issues occur. Moreover, the code should be in better shape -- leading to fewer incidents -- before it even gets out the door to MSPs.
Still, I'm not and MSP and don't run ConnectWise's software -- or rival industry software. And that means I'm not experiencing the code and process changes that ConnectWise and rivals have been rolling out in the past year. That's my way of saying keep me and the vendor community honest. Hopefully, everyone truly is raising the bar on security. When my view on the issues or progress misses the mark, let me know.