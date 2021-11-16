In an age where organizations have established a direct dependence on software to run critical business operations, it’s fundamental that they are evaluating their software development lifecycles and that of their extended environment — third-party partners — against the same standards. Concerns around vulnerability management are gaining more government attention around the world in order to acknowledge and emphasize vulnerability detection capabilities across the supply chains. In fact, the National Institute of Standards and Technology (NIST) issued guidance concerning the minimum standards that vendors or developers should meet to verify enterprise software. The standards are meant to encourage a common framework across government and industry regarding how organizations manage critical software and protect data privacy, integrity and confidentiality.

As a hacker for X-Force Red, one of my main priorities is identifying software vulnerabilities that, if exploited, can lead to large-scale business compromise and data exposure. So, when I recently discovered a zero day vulnerability — a flaw that up until that moment no one knew existed ­— it was an exciting occasion, and enabled our team to help reduce the risk of exploitation. The feat occurred during a penetration testing engagement for an X-Force Red client that used the ManageEngine ServiceDesk.

The ManageEngine ServiceDesk is a help desk management platform that includes core help desk and IT management applications, in addition to project management, contract management and features for ITIL (information technology infrastructure library) compliance. The platform is widely deployed and, according to the ManageEngine website, is used by some of the largest companies in the world. The platform’s broad reach is a result of the increasing demand for IT service support management that can improve business process agility and outcomes. In the last two years alone, IT help desks have seen a significant spike in activity due to the expanding remote workforce and a hasty digital transformation that the COVID-19 pandemic forced upon businesses. In fact, a 2021 DeepCoding survey found that the number of monthly tickets submitted to IT service management teams increased 35% from pre-pandemic levels.

Services and applications of this nature sit at a critical point of hundreds of thousands of businesses’ supply chains — they hold sensitive personally identifiable information (PII) information, which makes them a top target for attackers. In the case of ManageEngine’s Service Desk, gaining access to information of this nature could provide attackers with significant ammo for future enterprise targets, providing insight into customers’ IT environments, network structures and security settings. Testing for and managing vulnerabilities within these platforms must be a top priority for businesses across sectors.