Software developers and manufacturers around the world are under attack by cybercriminals. It is not like we are in a time of the year in which they spread more and they barricade themselves in front of the offices, with their evil laptops seeking to blow everything up, no. They are actually always there, trying to violate information security, and in this article we are going to give you a little advice on the subject.
No one is safe from all threats
Whether it is a middling attack or sophisticated and destructive (as it happened to our competitors Solarwinds and Kaseya) evil never rests. The whole industry faces an increasingly infuriating threat landscape. Almost every day we wake up with some news of an unforeseen cyber attack that brings with it the consequent wave of urgent and necessary updates so that our system is safe… Nobody is spared, real giants have fallen over. The complexity of the current software ecosystem means that a vulnerability in a small library affects hundreds of applications. It happened in the past (openssh, openssl, zlib, glibc…) and it will continue to happen.
As we pointed out, these attacks can be very sophisticated or they can be the result of a combination of third-party weaknesses that make the client vulnerable, not because of the software, but because of some of the components in its environment. That’s why IT professionals should demand that their software vendors take security seriously, both from an engineering standpoint and from vulnerability management.
We repeat: No one is safe from all threats. The software vendor that took others out of business yesterday may very likely be tomorrow’s new victim. Yes, the other day it was Kaseya, tomorrow it could be us. No matter what we do, there is no 100% security, no one can guarantee it. The question is not to prevent something bad from happening, the question is how to manage that situation and get out of it.
Pandora FMS and ISM ISO 27001
Any software vendor can be attacked and each vendor must take the necessary additional measures to protect itself and its users. Pandora FMS encourages our current and future clients to ask their suppliers for more consideration in this matter. We include ourselves.
Pandora FMS has always taken security very seriously, so much so that for years we have had a public policy of “Vulnerability disclosure policy” and Artica PFMS as a company, is certified with the ISO 27001. We periodically employ code audit tools and maintain some modified versions of common libraries locally.
In 2021, in face of the security demand, we decided to go one step further, and make ourselves CNA of CVE, to give a much more direct response to software vulnerabilities reported by independent auditors.
Decalogue of PFMS for better information security
When a client asks us whether Pandora FMS is safe, sometimes we remind them of all this information, but it is not enough. Therefore, today we want to go further and prepare a decalogue of revealing questions on the subject. Because some software developers take security a little more seriously than others. Relax, these questions and their corresponding answers are valid for both Microsoft and Frank’s Software or whatever thing you may have. Since security does not distinguish between big, small, shy or marketing experts.
Is there a specific space for security within your software life cycle?
At Pandora FMS, we have an AGILE philosophy with sprints (releases) every four weeks, and we have a specific category for security tickets. These have a different priority, a different validation cycle (QA) and of course, a totally different management, since they involve external actors in some cases (through CVE).
Is your CICD and code versioning system located in a safe environment and do you have specific security measures to ensure it?
We use Gitlab internally, on a server in our physical offices in Madrid. People with name and surname, and unique username and password have access to it. No matter what country they are in, their access through VPN is individually controlled and this server cannot be accessed any other way. Our office is protected by a biometric access system and the server room with a key that only two people have.
Does the developer have an ISMS? (Security Incident Management System)
Artica PFMS, the company behind Pandora FMS, is certified with ISO 27001 almost from its beginnings. Our first certification was in 2009. ISO 27001 certifies that there is an ISMS as such in the organization.
Does the developer have a contingency plan?
We not only have one, we have had to use it several times. With COVID, we went from 40 people working in an office in Gran Via (Madrid) to each and everyone of them working at home. We had power outages (for weeks), server fires and many other incidents that put us to the test.
Does the developer company have a security incident communication plan that includes its customers?
It has not happened many times, but we have had to release an urgent security patch, and we have notified our clients in a timely manner.
Is there an atomic and nominal traceability on code changes?
The good thing about code repositories, like GIT, is that these kinds of issues have been solved for a long time. It is impossible to develop software professionally today if tools like GIT are not fully integrated into the organization, and not only into the development team, but also into the QA, support, engineering… teams.
Do you have a reliable update distribution system with digital certifications?
Our update system (Update Manager) distributes packages with digital certificates. It is a private system, duly secured and with its own technology.
Do you have an open public vulnerability disclosure policy?
In our case, it is published on our website.
Do you have an Open Source policy that allows the customer to see and audit the application code if necessary?
Our code is open, anyone can review it at https://github.com/pandorafms/pandorafms. In addition, some of our customers ask us to audit the source code of the Enterprise version and we are delighted to be able to do so.
Do the components/third-party purchases meet the same standards as the rest of the parts of the application?
Yes they do, and when they do not comply, we maintain them ourselves.
BONUS TRACK:
Does the company have any ISO Quality certification?
ISO 27001
Does the company have any specific safety certification?
National Security Scheme, basic level.
Conclusion
Pandora FMS is ready for EVERYTHING! Just kidding, as we have said, everyone in this sector is vulnerable, and of course the questions in this decalogue are elaborated with certain cunning, after all, we had solid and truthful answers prepared in advance for them, however, the real question is: Do all software vendors have answers to those questions?
Would you like to find out more about what Pandora FMS can offer you? Find out clicking here . If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here.
Last but not least, remember that if you have a reduced number of devices to monitor, you may use Pandora FMS OpenSource version. Find more information here .
Do not hesitate to send your questions. The great team behind Pandora FMS will be happy to assist you! And if you want to keep up with all our news and you like IT, release and, of course, monitoring, we are waiting for you in our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers. Ah well, we also have a new Instagram channel ! Follow our account, we still have a long way to go to match that of Billie Eilish.
Dimas P.L., de la lejana y exótica Vega Baja, CasiMurcia, periodista, redactor, taumaturgo del contenido y campeón de espantar palomas en los parques. Actualmente resido en Madrid donde trabajo como paladín de la comunicación en Pandora FMS y periodista freelance cultural en cualquier medio que se ofrezca. También me vuelvo loco escribiendo y recitando por los círculos poéticos más profundos y oscuros de la ciudad.
Dimas P.L., from the distant and exotic Vega Baja, CasiMurcia, journalist, editor, thaumaturgist of content and champion of scaring pigeons in parks. I currently live in Madrid where I work as a communication champion in Pandora FMS and as a freelance cultural journalist in any media offered. I also go crazy writing and reciting in the deepest and darkest poetic circles of the city.