Security Product Update: What You May Not Even Be Aware Of
When things are running smoothly, and you’re not checking into any security issues, then you know you’re in good hands.
I know that this is the case for our SysAid customers, and that makes me happy
Nevertheless, I wanted to take this opportunity to list out (for anyone who is interested) all the security enhancements that SysAid has recently implemented.
- 58627 – We’ve continuously tightened security around preventing potential XSS attacks. Among these enhancements we’ve added more input filtering and escaping methods for defending against XSS attacks.We also resolved an XSS-related weakness related to the local Forgot Password process, which addresses CVE-2020-13168.
- 62099 – And to prevent another XSS vulnerability, documented in CVE-2018-1000129, we limited access to Jolokia in LBs.
- 55806 – In February 2020, we limited the permissions that allowed for displaying SysAid within an iframe in order to prevent threats of click-jacking.
- 53673 – In May 2020, to tighten the secured connection to our services, we started blocking the older non-supported TLS protocol versions 1.0/1.1, and now only allow the more advanced secured versions.Customers using very old browsers, can no longer access our services. They need to ensure that all machines that are running the SysAid agent use a .NET Framework of 4.6 or higher that supports higher TLS protocols.For details on browser support for TLS versions, please read this article: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
- 57991 – In June 2020 we expanded enforced timeout functionality to cover more cases of session inactivity.
- 54427 – In June 2020, we began running on an upgraded version of Tomcat and in that way addressed the Tomcat issue (CVE-2020-10569 and disabled the AJP protocol by default).
- 58745 In July 2020, we tightened security around preventing potential CSRF attacks.
- In August 2020, we:
- 58702 – Fixed a security issue in the Windows installer.
- 59020 – Announced our plans to retire the option to allow non-secured (HTTP) access to your SysAid account. Instead, we are redirecting all non-secured traffic to a secured channel (HTTPS).
- 57541 – Added enhanced security surrounding outgoing email integration with Microsoft 365 via the OAuth 2 protocol.
- 60227 – As of November 2020, workflow notifications can be set with new action links, which force the users to log in to SysAid via SSO to ensure security compliance.
SysAid is committed to the security and privacy of its customers. As part of that commitment we are continuously improving our security capabilities. If you ever have any questions or concerns, I invite you to email us at ciso@sysaid.com.
Did you find this interesting?Share it with others:
Did you find this interesting? Share it with others: