March 13, 2020

ConnectWise Strengthening its Security Posture

Emphasizes “Shift Left” in Software Development Cycle, Independent Third-Party Testing and Commitment to Transparency

ConnectWise, the leading provider of business automation software for technology solution providers (TSPs), today announced updates it is taking to strengthen its security posture.

The company is expanding its “Shift Left” strategy – the practice of implementing security testing and processes to the left, or earlier, in the software development lifecycle to find and prevent issues as early as possible.

“With the current cybersecurity threat landscape in our industry, everyone is a target. Hundreds of software providers, thousands of MSPs, and the millions of SMBs those MSPs support are all at risk,” said Jason Magee, CEO, ConnectWise. “That means that all of us have a part to play in combating those threats – and that includes ConnectWise. We take trust and transparency seriously, and it’s important that our partners understand the steps we are taking to push them and the entire industry as a whole to be more secure.”

The shift-left strategy includes enhancements to secure-by-design practices including threat modeling and abuse case development, increased automated testing coverage, and tighter integration between security and code delivery pipelines.

While the company does regularly engage third parties for security assessment and penetration tests, it is expanding its vulnerability management practices to include a formal Bug Bounty program. Bug Bounty adds value over traditional testing strategies through continuous testing by multitudes of individual testers with a wide range of specialized expertise.

ConnectWise is also committing to transparency with respect to information security for the benefit of its Partners and the MSP community. It has recently launched the first iteration of its Trust site as a primary source of information on a number of security, compliance and privacy topics.

Planned additions include a security bulletins section to communicate security alerts, product vulnerabilities, critical patches and updates with the ability to subscribe for proactive notifications. It will also support the company’s vulnerability disclosure efforts by providing a channel for responsible disclosure of vulnerabilities.