The Evolution of Datto’s Application Security Program and BSIMM

Security has been, and continues to be, one of the primary focuses of Datto in our effort to provide best-in-class solutions to our partners. Because security cannot be accomplished in a silo, and requires the dedication and commitment of the entire organisation, we strive to continuously look for opportunities to improve collaboration with all parties. This means that at any given time, we have many security initiatives and improvements being iterated on and reprioritised. Being agile allows us to remain flexible and open to our partners and the community's security needs. As part of this effort, Datto has recently updated our Vulnerability Disclosure Program (VDP) which I have written about here. Given the timing and topic, I felt this was also a good opportunity to give a little history into one of our most transformative initiatives related to security at Datto.

The Journey of Building Secure Products with a Best in Class Framework

In 2019, several engineers at Datto embarked on our Building Security In Maturity Model (BSIMM) journey. Equipped with two embedded Security Engineers and a Security Architect, we began looking for a way to holistically improve Datto’s Application Security program in a meaningful, organised and measurable way. We opted to start out by using BSIMM as an inspiration. In support of our agile culture, we were seeking easy to adopt initiatives that would have a positive security impact on our products. This was an important first step as it not only provided us the time to both understand BSIMM, but also to begin identifying and documenting areas of opportunity. This subsequently allowed us to understand the scope and scale of some of the work we both needed and wanted to accomplish. As this work began to gain momentum, our Program Manager, Emilyann Fogarty, became involved and helped to socialise, educate and rally support for the program.

In parallel with our BSIMM work, we evaluated other Application Security Frameworks for our use, including NIST and OWASP Open SAMM. While we saw the value in these frameworks and will likely incorporate elements of them into Datto’s Application Security Framework, they result in self attestation and do not offer the option of an impartial third party assessment. These other frameworks are also static in nature, yet security is changing at a rapid pace. BSIMM remains relevant and is consistently maintained, with annual updates that include emerging capabilities that some of the best security programs in the world are employing to protect their applications.

At the time, we felt it would have been insufficient to leverage a framework that was not proactive in identifying and highlighting important security capabilities and practices. Because we hold ourselves to the highest standard on behalf of the MSP community, we chose to start with the only framework that offers the highest level of verifiable assurance through third party evaluation. By completing a BSIMM assessment, Datto would be joining a cohort of 120+ security conscious organisations, mostly in Technology and Financial services, including Cisco and Paypal, who help to set the baseline through their participation. It would also make Datto the first, and so far only, 100% IT channel focused vendor to become a member of this cohort.

With Emilyann’s help and a clearer understanding of our goals with BSIMM, we began to define and build our BSIMM program beyond the scope of our individual products. First, we started the process of building out our satellite by asking for volunteers within Datto’s Software Engineering departments. This formed the start of our Security Champion program. To support and enable this group of individuals, we solicited a group of engineering leaders who ultimately became the core of our Software Security Group. This group was tasked with helping to manage and oversee the BSIMM program.

It was my privilege to be named one of the first Security Champions towards the beginning of 2020. Being embedded in Datto’s Autotask Professional Services Automation (PSA) allowed me the opportunity to watch our network of Security Champions grow. What started out as just three Security team members quickly evolved into a network of well over 30 Security Champions, DevSecOps and other volunteers and hires, embedded and distributed (I’m proud to say) in every single one of our products. This part of our program has reached such a level of maturity, that despite Infocyte being a very recent acquisition for Datto, the discussion of embedding a dedicated Security Champion was included in the initial due diligence and planning processes of the partnership.

The Next Generation of Application Security at Datto

As the scope and scale of Datto’s Application Security initiative continued to grow, it became clear that we needed a more centralised team to help coordinate this accelerating Security work. Enter Datto’s newly formalised and dedicated Application Security department. While Application Security had already existed within Datto, it was combined with the Offensive Security department, which meant the team was responsible for both Application Security and Offensive Security. As Datto continued to grow, and as the Application Security and BSIMM work continued to scale, the need to split Application Security into its own department became apparent. This restructuring allowed the Offensive Security team to focus on very specific activities like Pentesting, Red Teaming, Exploit R&D and Social Engineering. This also enabled Application Security to focus solely on helping our products build secure software by embedding security practices in all phases of their Software Development Life Cycles (SDLC).

After observing and helping to guide the development of our BSIMM program and our satellite of Security Champions, I was elated to have been asked to manage and formalise the new Application Security team. Using my many years of experience working on our Offensive Security team, leveraging my Software Engineering experience and leaning on my time as PSA’s Security Champion, I have the singular focus of helping to guide Datto and our products in our effort to achieve and maintain a high level of security maturity for all of our products. In addition to this transition, Datto’s VDP also became the responsibility of our Application Security department and discussions began on both how to improve internal VDP processes and what the future of the program might look like.

How is all of this Application Security information relevant to the VDP? The previously mentioned network of Security Champions is now directly responsible for assisting the Application Security team with all security related initiatives. They are also empowered within their own teams to drive their own security initiatives with support from our Application Security team and Engineering leadership.

Having an external VDP or Bug Bounty Program (BBP) is a new level three BSIMM activity, introduced for the first time in v12 of the framework. Thanks to our proactive and continuous efforts in looking for ways to improve collaboration around security, we already had a VDP in place. Because of our maturity in this area, I was invited to speak on an expert panel at the 2021 BSIMM conference specifically on this topic, along with experts from both Yahoo and Lenovo.

Third-Party Validation

The expansion of our Application Security department’s role and responsibilities was a natural result of our commitment to adapt our defenses to protect Datto and our MSP partners. Datto’s Information Security team was closely monitoring the changing IT Channel threat landscape in 2018 and 2019 and had already anticipated that software security attacks on MSP supply chain vendors would become a larger issue. The activities we undertook in the intervening year and a half prepared us for a more hostile ecosystem that manifested fully in 2021, which we refer to as ‘The year of the MSP Supply Chain Attack’. Amidst the channel chaos, the work we had completed to prepare for verifiable software security culminated in delivery of our first formal BSIMM assessment performed by Synopsys for Datto's RMM.

Despite being a new program and a new department, the RMM assessment results conveyed that Datto has a level of program maturity equivalent to companies whose software security programs have been running for 5.7 years. This was a huge accomplishment, and while I would love for Application Security to take full credit, the reality is that our products were already performing many security related activities and best practices in an effort to “do the right thing” and to protect the confidentiality, integrity and availability of our partners and their data.

We didn’t stop there either. In December of 2021 we performed an assessment of Datto Networking with similar results. This year we plan on undergoing a formal BSIMM assessment with many more of our products. The first of which being our Business Continuity Product, which is scheduled to begin the first week of April 2022.

Our Ongoing Commitment to the MSP Community

While we are proud of the assessment results and progress our products have made, security is as critical as ever. This is the time to continue to accelerate our commitment to ensuring we are delivering the most secure products we can to our partners. Datto and our Application Security team is just getting started in a continuous lifecycle of Security Maturity. I am honored to have had the chance to share a glimpse into the progress we’ve made and look forward to sharing more details about our work with the community in the future.