Software developers and vendors from all over the world are under attack by cybercriminals. It’s not that we’re at a time of year when they’re out and about, barricaded in front of offices with their malicious laptops seeking to blow everything up, no. They’re always out there actually, trying to breach information security, and in this article we’re going to give you a bit of advice on how to deal with them.

No one is safe from all kinds of threats 

Whether it’s a half-assed attack or sophisticated and destructive one (as it happen to our competitors from Solarwinds and Kaseya) evil never rests. The entire industry faces an increasingly infuriating threat landscape. We almost always wake up to some news of an unforeseen cyberattack that brings with it the consequent wave of rushed and necessary updates to make sure our system is safe… And no one is spared, true giants have fallen victims. The complexity of today’s software ecosystem means that a vulnerability in a small library could end up affecting hundreds of applications. It happened in the past (openssh, openssl, zlib, glibc…) and it will continue to do so.

As we highlighted, these attacks can be very sophisticated or they can be the result of a combination of third-party weaknesses that compromise customers, not because of the software, but because of some of the components of their environment. This is why IT professionals should require for their software vendors to take security seriously, both from an engineering and vulnerability management standpoint.

We repeat: No one is safe from all threats. The software vendor that yesterday took business away from others may very likely be tomorrow’s new victim. Yes, the other day it was Kaseya, tomorrow it could be us. No matter what we do, there is no such thing as 100% security, no one can guarantee it. The point is not to prevent something bad from happening, the point is how you manage that situation and get out of it.

Pandora FMS and Sgsi Iso 27001

Any software vendor can be attacked and that each vendor must take the necessary additional measures to protect themselves and their users. Pandora FMS encourages our current and future customers to ask their vendors to pay more attention in this regard. Ourselves included.

Pandora FMS has always taken security very seriously, so much so that for years we have had a public policy of “Vulnerability disclosure policy” and Artica PFMS as a company, is certified in ISO 27001. We periodically pass code audit tools and maintain locally some modified versions of common libraries.

In 2021, in view of the demand in the area of security, we decided to go one step further, and to become CNA of CVE to provide a much more direct response to software vulnerabilities reported by independent auditors.

PFMS Decalogue for better information security

When a customer asks us if Pandora FMS is safe, sometimes we remind them of all this information, but it’s not enough. That’s why today we want to go further and elaborate a decalogue of revealing questions on the subject. Yes, because some software developers take security a little more seriously than others. Don’t worry, these questions and their corresponding answers apply to both Microsoft and John’s Software. Because security doesn’t distinguish between big, small, shy or marketing experts.

Is there a specific space for security within your software lifecycle?

At Pandora FMS we have an AGILE philosophy with releases every four weeks, and we have a specific category for security tickets. These have a different priority, a different validation cycle (Q/A) and of course, a totally different management, since they involve external actors in some cases (CVE through).

Is your CICD and code versioning system located in a secure environment and do you have specific security measures in place to secure it?

We use Gitlab internally, on a server in our physical offices in Madrid. It is accessed by people with a first and last name, and a unique username and password. No matter which country they are in, their access via VPN is individually controlled and this server cannot be accessed in any other way. Our office is protected by a biometric access system and the server room with a key that only two people have.

Does the developer have an ISMS (Security Incident Management System) in place?

Artica PFMS; the company behind Pandora FMS has been ISO 27001 certified almost since its inception. Our first certification was in 2009. ISO 27001 certifies that there is an ISMS as such in the organization.

Does the developer have a contingency plan?

Not only do we have one, but we have had to use it several times. With COVID we went from working 40 people in an office in Gran Via (Madrid) to working at home. We have had power failures (for weeks), server fires and many other incidents that have put us to the test.

Does the developer have a security incident communication plan that includes its customers?

It has not happened many times, but we have had to release some urgent security patches, and we have notified our customers in a timely manner.

Is there atomic and nominal traceability on code changes?

The good thing about code repositories, such as GIT, is that this kind of issues have been solved for a long time. It is impossible to develop software in a professional way today if tools like GIT are not fully integrated into the organization, and not only the development team, but also the Q/A team, support, engineering…

Do you have a reliable system for distributing updates with digital signatures?

Our update system (Update Manager) distributes packages with digital signature. It is a private system, properly secured and with its own technology.

Do you have an open public vulnerability disclosure policy?

In our case, it is published on our website.

Do you have an Open Source policy that allows the customer to observe and audit the application code if necessary?

Our code is open source, anyone can review it at https://github.com/pandorafms/pandorafms. In addition, some of our customers ask us to audit the source code of the enterprise version and we are happy to do so.

Do third-party components / acquisitions meet the same standards as the other parts of the application?

Yes they do and when they do not comply we support them.

BONUS TRACK:

Does the company have any ISO Quality certification?

ISO 27001

Does the company have any specific safety certification?

National Security Scheme, basic level.

Conclusion

Pandora FMS is prepared and armed for EVERYTHING! Just kidding, as we have said, everyone in this industry is vulnerable, and of course the questions in this Decalogue are crafted with a certain cunning, after all we had solid and truthful answers prepared for them beforehand, however, the real question is, do all software vendors have answers?

If you have to monitor more than 100 devices you can also enjoy a FREE 30-day TRIAL of Pandora FMS Enterprise. Cloud or On-Premise installation, you choose!!! Get it here.

Finally, remember that if you have a small number of devices to monitor, you can use the OpenSource version of Pandora FMS. Find more information here.

Don’t hesitate to send us your questions, the great team behind Pandora FMS will be happy to help you!

Dimas Pardo

Dimas P.L., de la lejana y exótica Vega Baja, CasiMurcia, periodista, redactor, taumaturgo del contenido y campeón de espantar palomas en los parques. Actualmente resido en Madrid donde trabajo como paladín de la comunicación en Pandora FMS y periodista freelance cultural en cualquier medio que se ofrezca. También me vuelvo loco escribiendo y recitando por los círculos poéticos más profundos y oscuros de la ciudad.

Dimas P.L., from the distant and exotic Vega Baja, CasiMurcia, journalist, editor, thaumaturgist of content and champion of scaring pigeons in parks. I currently live in Madrid where I work as a communication champion in Pandora FMS and as a freelance cultural journalist in any media offered. I also go crazy writing and reciting in the deepest and darkest poetic circles of the city.