Our Stance on Secure Development Practices

Tim Titus - CTO of PathSolutionsNetwork Monitoring and Management systems require specific access and rights to be able to perform their duties of speeding recognition of faults and performance problems in an enterprise.

When you put trust in a network monitoring system, you expect the software developers to also respect the same level of care and diligence as you do.

PathSolutions has always viewed security as not only a core design methodology, but also as part of a continuous improvement process.  This means that the architecture of the entire product from its inception was designed with security in mind, and our release and deployment practices are continuously evaluated and improved on.

The following are key parts of our differences than other solutions:

  • Secure Design Methodology: Our software is coded in C/C++ with very few external dependencies.  As a result, it is tighter and more efficient than other software, and uses far fewer DLLs.  In fact, our core service uses only 12 DLLs.  This means our process for validating each DLL can be far more rigorous than other software that may rely on several hundred DLLs.

  • Elimination of Database Attack Vectors: TotalView uses SQLite as its database which is compiled directly into the service.  This means there is separate database service and no port-based communications required for the database to operate.  This completely eliminates a network database attack vector.  Management is also reduced because there is no separate database to secure, patch, manage, or maintain.

  • Reduced Attack Surface: TotalView is also far more scalable than others – this means that one server can be used to monitor and manage the network instead of having multiple collector servers deployed around the environment that each need to be patched to maintain security.

  • Minimal Rights Design Philosophy: Our software is designed to do its job with the minimal amount of rights needed to get the task done.  This means you don’t have to grant the solution “keys to the kingdom”.

  • Agile Development Methodologies with Cross-Checking: Checked in code is cross-checked to make sure it is what it intends to do, and nothing unexpected is included in a release.  This reflects both development as well as QA processes.

  • No Automated, Unattended Updates: Updates to code are applied by the customer when desired.  No automatic triggering of software updates are performed.

  • No Unencrypted Background “Improvement Program” checks: Our software communicates with three certificate validated servers on the Internet via HTTPS/TLS1.2: Our license server, NIST.gov (for OS Vulnerabilities), and IPStack (for Geolocation information).  No other external communications are performed.  All of these communications can be optionally disabled if desired.

If you have any questions or concerns regarding the security of our software, please contact me directly.

Tim Titus
CTO, PathSolutions
CISSP #762999