How ManageEngine prevents vulnerabilities in ADSelfService Plus during its development process
At ManageEngine, security has always been our utmost priority. The development process of ADSelfService Plus includes several top-notch security measures to ensure that the product complies with the strict security requirements of your organization.
The ADSelfService Plus team has a well-thought-out testing process to identify security issues at every stage of product development. Any vulnerability reported by external communities or experts is also fixed by us as soon as possible.
Here's how we prevent vulnerabilities during the product development cycle.
Product testing procedures
ADSelfService Plus has a team of security experts who follow various security procedures at different stages of feature development to ensure that the product is secure against cyberattacks. We perform the following tests based on the standards advised by the Open Web Application Security Project (OWASP).
- Before our developers work on a new feature, the security team assesses the architecture and design of the feature. The main focus of this review is to ensure that the various modules designed for this new feature meet the required security norms.
- Once the feature is developed, the code is reviewed by our security team for any violation of coding and security standards.
- Before releasing the feature to the public, we perform a round of black-box and white-box testing. This is done to ensure that the new feature functions as expected, and the code is scrutinized for other possible flaws.
Besides the ADSelfService Plus security team, there's also a dedicated security team at ManageEngine whose goal is to ensure that all ManageEngine products comply with stringent IT security norms. The ManageEngine security team performs the following tests on ADSelfService Plus before every release:
- Static code analysis: Using in-house tools, the entire product code repository is checked for code-level vulnerabilities.
- Authentication testing: These tests will identify any flaws in the different authentication procedures of ADSelfService Plus.
- Authorization testing: At this phase, the different user roles and permissions are checked to ensure they've been assigned correctly.
- Security misconfiguration: The various third-party components and all the configurations used by these components are checked to ensure they're in proper order.
- Input validation testing: This test prevents cross-site scripting (XSS) attacks. We also employ a built-in filter to prevent such attacks.
External vulnerability reporting
Despite following the aforementioned procedures, if any vulnerability is detected in our products by an external tester, we ensure that it's patched and the fix is released quickly. The following steps are taken in such cases:
- Analysis: We analyze the reported vulnerability.
- Developing the fix: We develop the fix as early as possible.
- Testing: Tests are conducted to ensure that the fix works, and all the security measures are in place to protect against other possible threats.
- Release: The vulnerability fix is released to the customers.
Ensuring the fix reaches our customers
When we release vulnerability fixes, there are several ways we let customers know:
- We announce the release of the fix in our product forum.
- Regular updates containing new features, enhancements, and bug fixes are released at frequent time intervals and recorded here.
- We make public announcements:
- We keep the customers updated by making announcements in the product console.
- We cover security updates in the product newsletters.
- Based on the severity of the vulnerability, we send emails to customers.