Software security isn’t a sprint; it’s a marathon – a marathon that never ends. That’s why we approach security as an ongoing work-in-progress. Completeness is the ultimate goal, but the journey requires diligence and trusted partnerships.
As a trusted partner to our customers Ipswitch is committed to raising the bar. Recently we announced support for OWASP, and PCI Certification of the MOVEit Cloud offering. In our role as trusted partners to our customers, I’d like to provide some insight into the new security enhancements that we released today.
Check the Ipswitch File Transfer Customer Portal for the Official Announcement
The security architecture of the Ipswitch product line now adheres to the OWASP principles. Best known for their Top 10 List of Security Vulnerabilities, the OWASP organization is the leading authority on all things related to Web App security threats. To help us meet these industry best practices, we’ve introduced continuous security testing into our development process.
On a Wednesday in early February, during our weekly security triage, we were presented with two new likely security vulnerabilities. We found one during our test-run of a new dynamic scanning tool, and another potential flaw was reported to our technical support team by a customer.
Being PCI compliant means remediating these identified vulnerabilities within 30 days in our Cloud environment. We did that, and then continued on our path toward the finish line. Today we announce availability of those enhancements in our on-premises product.
What did we learn from this process? More importantly, what could your company learn from it? Here are a few quick lessons to keep in mind:
- Full Transparency: In politics, they say that it’s not the crime it’s the cover-up. The same is true for security vulnerabilities. We follow an open process to ensure security related bugs get fixed. We make sure it turns into an ex-bug and not into a problem. In addition to this blog post, all MOVEit customers were notified via email, and our product team launched a FAQ site for those who want even more details.
- Security is a Moving Target: Today, your application might be up-to-date with every industry standard. Give it a year (or a month…), and that will no longer be the case. Security has to be part of the culture; it cannot be something that’s only considered sporadically. Perhaps without guidance by the OWASP list, this issue would have gone undiscovered for months, or even longer.
- The Clock is Ticking: Even if you have a fixed window to apply a security patch, get to it ASAP.
The longer you wait, the greater the exposure. Don’t delay. In fact, it’s best to have a plan ready. As soon as we had our code test results, we broke the glass door and kicked in our Response Policy.
Establishing trust with users isn’t about achieving perfection. Rather, it’s about being transparent. It’s about being quick to resolve issues, and it’s about conveying to users that it’s a continuous process to improve security. And that’s how we approach it with our MOVEit customers.
How does your organization handle patch releases? Be sure to share in the comments section below.