Pricing  Get Quote
 
 

Security Testing Procedure

How ManageEngine prevents vulnerabilities in ADSelfService Plus during its development process

Security has always been at the forefront of ManageEngine's priorities. With this agenda on our minds, the development process of ADSelfService Plus includes multiple stringent security measures to ensure that the solution stays secure and strong while effectively catering to the security requirements of your organization.

The ADSelfService Plus team has a rigorous testing process to identify security issues at every stage of the solution's development. We make sure to fix any issue reported as soon as possible, whether it is identified by our internal teams or external communities, experts, or organizations such as Veracode, who we have partnered with to conduct manual pen tests on ADSelfService Plus.

Here's how we prevent vulnerabilities during the product development cycle:

Product testing procedures

ADSelfService Plus has a team of security experts who follow various security procedures at different stages of feature development to ensure that the product is secure against cyberattacks. We perform the following tests based on the standards advised by the Open Web Application Security Project.

  1. Before our developers work on a new feature, the security team assesses its architecture and design. The main focus of this review is to ensure that the various modules designed for this new feature meet the required security norms.
  2. Once the feature is developed, the code is reviewed by our security team for any violation of coding and security standards.
  3. Before releasing the feature to the public, we perform a round of black-box and white-box testing. This is done to ensure that the feature works as expected, and the code is scrutinized for other possible flaws.

Besides the ADSelfService Plus security team, there's also a dedicated security team at ManageEngine whose goal is to ensure that all ManageEngine products comply with stringent IT security norms. The ManageEngine security team performs the following tests on ADSelfService Plus before every release:

  1. Static code analysis: Using in-house tools, the entire product code repository is checked for code-level vulnerabilities and third-party dependencies.
  2. Authentication testing: These tests will identify any flaws in the different authentication procedures of ADSelfService Plus.
  3. Authorization testing: At this phase, the different user roles and permissions are checked to ensure they've been assigned correctly.
  4. Security misconfiguration: The various third-party components and all the configurations used by these components are checked to ensure they're in proper order.
  5. Input validation testing: This test prevents cross-site scripting attacks. We also employ a built-in filter to prevent such attacks.

Internal and external vulnerability reporting programs

Apart from the procedures mentioned above, we also conduct bug bounty programs where individuals or groups from within ManagEngine or external people, communities, and security experts can notify us if any vulnerability in our solutions has been identified. We will immediately begin working on developing and releasing a fix for the vulnerability in such cases. Here's what we do if a vulnerability is reported:

  1. Analysis: We analyze the reported vulnerability.
  2. Developing the fix: We develop the fix as early as possible.
  3. Testing: Tests are conducted to ensure that the fix works and all the security measures are in place to protect against other possible threats.
  4. Release: The vulnerability fix is released to the customers.

Third-party pen testing

The ADSelfService Plus team has partnered up with Veracode, an independent application security company, to conduct manual pen tests on ADSelfService Plus so that we get a third-person perspective on the security footing of the solution. The company will also conduct these tests yearly on our mobile apps for iOS and Android.

Ensuring the fix reaches our customers

When we release vulnerability fixes, there are several ways we let customers know:

  1. We announce the release of the fix on this page.
  2. Regular updates containing new features, enhancements, and bug fixes are released at frequent time intervals and recorded here.
  3. We make public announcements:
    • We keep the customers updated by making announcements in the product console.
    • We cover security updates in the product newsletters.
    • Based on the severity of the vulnerability, we also send emails to customers.

Safeguard user access to endpoints with with a second factor authentication.

  • Please enter a business email id
  •  
  •  
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

ADSelfService Plus trusted by

A single pane of glass for complete self service password management