Security researchers discovered critical zero-day vulnerabilities in some products created by ManageEngine, a software company that creates software designed to manage IT assets. According to the report, the vulnerabilities could allow remote code execution with escalated privileges, as well as sensitive data disclosure resulting in full host compromise.
The researchers found vulnerabilities in three ManageEngine products, including Logs360, EventLog Analyzer, and Applications Manager. These vulnerabilities can be exploited using unauthenticated file upload remote code execution, blind SQL injection, local file inclusion, and API key disclosure.
Affected users can download updates from the vendor’s website to address these vulnerabilities.
Given that ManageEngine serves many large organizations, including Fortune 500 companies and government, healthcare, manufacturing, and financial organizations, any vulnerability that affects their software can potentially have a significant impact due to the nature and scope of the affected products.
All of these issues point to the importance of organizations implementing security into the development cycle of their products and services. The challenge is in integrating security across all stages of the development process without compromising speed, efficiency as well as user experience. DevOps security used to be thought of as something that's needed during product development. In an ideal world, applications that have been tested and launched should be safe from vulnerabilities and exploitation – however, the reality is that no application or product will be 100% secure and vulnerability-free.
This reality demands constant monitoring and updating of products to address potential flaws or vulnerabilities. Microsoft’s monthly updates — colloquially known as Patch Tuesday — is a good model for this, providing updates for vulnerabilities found in their products. External researchers also discover many of these vulnerabilities, thus application developers should also look into working with them to pinpoint the problems and work on solutions.
Beyond patching and updating apps to address security issues, organizations should also look to simplify their security processes. Security automation and automated security testing can be an option for those who want to streamline implementation. What is important is that security for both applications and services need to be both efficient and scalable to address the situation's requirements. Developers should also take it upon themselves to at least get the basics of DevOps security down pat, as this will help them understand the most likely areas where threats can occur and where application security can be compromised.
Regardless of where they are in the development cycle – whether planning and development or deployment and monitoring – developers must always consider building their products with security by design in mind, as this will ensure stronger security of their products and services, and the security of their customers.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).