ManageEngine ServiceDesk Plus Security policy

Introduction

ManageEngine makes IT management solutions that enable IT admins address their IT challenges proactively. We improve our customers' security posture and prioritize their data security and privacy. In this article, we document our security processes at the organizational and product levels. Click here to view our detailed security policy.

Strict adherence to security hygiene

Our security, Network Operations Center (NOC), and privacy teams are dedicated to developing and implementing a rigorous security framework, which includes training and educating our employees periodically; training, building, and maintaining our defence systems; streamlining security review processes across internal teams and departments; and monitoring our corporate networks for any suspicious activities.

Incident response and management process

At ManageEngine, we have a dedicated incident management team to monitor, track, and respond to incidents in real time. Our team detects and responds to incidents with an appropriate corrective strategy. If an incident occurs, we provide our customers with an extensive report that clearly identifies the incident, its root cause, and also the steps taken to mitigate and contain any ramifications due the incident. Moreover, the report includes our strategies to prevent any recurrence of the incident.To report any security or privacy incidents, write to us at incidents@zohocorp.com.

Breach notification

Breach notification is applicable only to customers who have uploaded the logs and data files for debugging. As a data controller, we will notify all concerned data protection bodies of the data breach within 72 hours of we learning of it, as required by the General Data Protection Regulation (GDPR). We will also duly notify our customers as and when required, depending on specific requirements. As a data processor, we will notify the concerned data controllers of the incident as soon as possible. For incidents pertaining to a specific user or organization, we will notify the concerned party through their business email. As for general incidents, we will notify our users through emails, blogs, forums, and social media about the incident and, if required, any planned remedial action.

Vulnerability management: Security fix, builds, and patching process

To ensure tight security, the ManageEngine Security Response Center (MESRC) uses a combination of in-house and third-party tools to identify security vulnerabilities or bugs (listed in CVE or reported on social media) across our products, corporate networks, endpoints, databases, and other assets. Identified and reported vulnerabilities that require timely remediation are logged and prioritized according to their severity. Furthermore, we run extensive risk assessments, vulnerability proofing tests, and mitigate all vulnerable systems by providing appropriate fixes and patch builds in our security releases. More info.

Responsible disclosure

We practice proactive and collaborative IT security

Besides maintaining a robust security routine, we encourage our customers, partners, and security enthusiasts to highlight their security concerns to us. This helps us stay on top of security threats. In addition, we work with industry specialists and researchers to keep ourselves abreast of recent security developments to build foolproof IT security products.

Our vulnerability reporting program, Bug Bounty, is committed to working with the security community to identify, verify, and implement appropriate controls and patches to reported vulnerabilities. If you have discovered a potential security issue with our line of products, please report them to https://bugbounty.zohocorp.com or write to us at security@zohocorp.com.

After a vulnerability is reported, the MESRC, along with product experts, investigates the validity, risks, and severity associated with reported vulnerabilities and implements remediation to our users in the form of bug fixes, upgrade packs, and security patches.

ServiceDesk Plus: Overview

ServiceDesk Plus is a help desk management platform that includes core help desk and IT management applications and project management, contract management, asset management, CMDB, and features for ITSM best practice compliance. ServiceDesk Plus is currently used by various organizations; some of them have installed and configured ServiceDesk Plus within their network whereas few others have installed and configured ServiceDesk Plus to be accessed over the internet. So, any compromise on the security of customer data will expose organizations to serious risks. Therefore, ServiceDesk Plus is designed to offer maximum security at all times, including application installation, user authentication, data transmission, storage, and regular use.

Secure by design

Our Software Development Life Cycle (SDLC) model mandates our ServiceDesk Plus engineering team to strictly adhere to our secure coding standards. In addition, we adhere to security standards across the SDLC process.

Security standard during the analysis and design phase.

• Our engineering team gathers and analyzes requirements to identify any security flaws and loopholes in new features.
• Prepares a vulnerability assessment plan to address security concerns posed by users and security analysts in the previous releases/versions.
• Develops a product or feature prototype, including changes and subjects them to the change management authority for approval.

Security standard during the development phase

• The development team follows the security guidelines given by the product security team.
• The source code is periodically reviewed by the security coordinator and team lead.
• Before using any third-party code dependencies and libraries, our legal and security teams will verify whether the third party libraries have any known security issues or not.
• Only authorized engineers can access the source code repository.
• Approval/review process is enabled for modified sources.

Security standard during the QA/release phase

• Performs integration, automation, and penetration tests to ensure that the new features or modules are secure from potential vulnerabilities/flaws.
• Continuous smoke testing to ensure that the core functionality of the product remains intact without opening new security loopholes.
• Generates security assessment reports to identify further areas of improvement.
• Runs continuous vulnerability scans post release for timely identification and patching of vulnerabilities.

Security review process

We have a security team to ensure the released build/product is free from security vulnerabilities. The team will follow the below process during the security review process.

• Runs automated security audit tool on new features.
• Conducts a security audit program for all features and bug fixes.
• Analyzes third-party files usage and its known vulnerabilities.
• Collects brief feature/bug fixes details from developers to discover possible vulnerabilities.
• Creates security briefs for both developers and support team to provide instant solution to customers.
• Monitors recently discovered vulnerabilities.
• As a final check, white box testing, i.e. manual source code review, is also carried out by the security team to discover any defects in the build. In this stage, the security team develops test cases to verify the proper working of all functionalities and error handling of the developed feature.
• Once all issues are resolved and a fresh build is created, the security team will approve the build as final.

Security issues handled in ServiceDesk Plus

ServiceDesk Plus customers and external users can use https://bugbounty.zohocorp.com to report any security vulnerabilities in the product. Based on the severity of the issue, the resolution will follow a predefined timeline as follows:

High Priority: 10 days

Medium Priority: 20 days

Low Priority: 30 days

Any new security issue that gets raised in Bug Bounty will be created as a ticket in our internal issue manager (IM) tool. Based on the severity of the issue, the development team will work on a fix. ServiceDesk Plus QA team will also prioritize security fixes and provide test cases high priority issues. After the fix is ready, it will be validated by our own QA and also by the ManageEngine security team. After the fix is released, the ServiceDesk Plus security team notifies the ManageEngine security team who will inform the customer of the release and close the case. In cases where the implementation may be delayed, the team is notified and an extension is sought.

Other security standards

• Our repository and build infrastructure are secured with SSH/HTTPS protocol and are placed in a secure, segmented network with stricter authentication and access controls.
• Our security and code frameworks are OWASP-compliant and implemented at the application layer.
• All code changes, third-party dependencies, release bundles, and upgrade packs are subject to multiple levels of internal security review, automation, and penetration testing efforts, and vulnerability scans to ensure they are well secured from logical bugs and security issues.
• Every update and new feature in ServiceDesk Plus is subject to internal change management policies and regular vulnerability assessments, and changes are implemented into production only if approved by the concerned change and security management authorities.
• The binaries are signed with a code signing certificate and the private key is securely stored in the segmented network with limited access.
• The ServiceDesk Plus engineering team works closely with internal security teams to obtain their feedback and identify areas of improvement to strengthen our security posture.

Besides the security measures described above, we are continuously striving to make the application more secure. The following section provides comprehensive details about security specifications of ManageEngine ServiceDesk Plus.

Customer data protection in ServiceDesk Plus

ServiceDesk Plus is an installable product so all data resides in the customer environment. Therefore, data breach is not possible in the ServiceDesk Plus On Premises version. Only customer's support tickets and log files are stored in the customer support portal.

• The files uploaded by customers are stored securely in a customer support portal.
• The uploaded files are accessible only to authorized support technicians.
• Data uploaded in server will be kept confidential and will be used for debugging purposes only.
• The uploaded files are allowed to download only in specific servers and the server credentials are not shared to anyone.
• The uploaded files will be removed automatically in the following conditions.
  • During ticket closure, we ensure the log & data files are deleted in the server.
  • File uploaded in server will be deleted automatically after 25 days.

ServiceDesk Plus: Security specifications

Refer to the below link to know more about product security specifications.

https://www.manageengine.com/products/service-desk/servicedesk-plus-security-specifications.html

Build and patching process

• The ServiceDesk Plus team works closely with the MESRC to run mandatory vulnerability scans and penetration tests before every major release to ensure that latest builds are completely foolproof. In addition, the team runs continuous vulnerability assessments on these builds to ensure that they are free from any new vulnerabilities.
• Users are notified immediately to upgrade to the latest version as and when there is a new security patch or update.
• In the event of a security concern or escalation, users are requested to submit a detailed report on the vulnerability or security bug. Meanwhile, the product team evaluates the validity and risks associated with the bug and prioritizes the release based on its severity.