In the wake of recent attacks against MSP Automation tools, we’d like to take a moment to discuss ImmyBot’s security posture, and what our plans are to remain ahead of the curve.
We are SOC 2 Type II compliant
ImmyBot instances are isolated with their own database, app services, and storage accounts
ImmyBot’s mandatory AzureAD SSO prevents unauthorized access from stale local user accounts.
ImmyBot’s strict use of Entity Framework means our codebase never generates SQL. All input is sanitized by default.
Communication to RMMs, like ConnectWise Automate and N-Central, uses MFA. You do not need to disable Multifactor authentication for our integration to function.
ImmyBot Agent communication is secured through the Azure IoTHub.
ImmyBot is built on .NET and Vue.js hosted in Azure leveraging services like IoTHub, Service Bus, Azure SQL for Postgres. Our security posture benefits tremendously from using these modern services.
ImmyBot's database access is done exclusively through Microsoft’s Entity Framework ORM. This significantly reduces the likelihood of SQL injection, a common attack vector. Many legacy tools have SQL embedded directly in the application code itself, which can lead to vulnerabilities.
Another example is our database access is done exclusively through Microsoft’s Entity Framework ORM. This significantly reduces the likelihood of SQL injection, a common attack vector. Many legacy tools have SQL embedded directly in the application code itself, which can lead to vulnerabilities if the developers aren’t careful.
xkcd: Exploits of a Mom
The Azure IoT Hub ensures ImmyBot uses best practices for device registration, and data encrypt communication both from our backend to the hub, and from the hub to our agents. It also offloads a significant amount of compute from our backend, managing connections and message brokering.
Each ImmyBot instance is separate, has its own IoT hub, Storage Account, Database, and Web Services. This was done intentionally to prevent cross-tenant data leaks. Our intention is to eventually offer ImmyBot in a Bring-You-Own-Cloud format allowing you to host it in your own Azure tenant where you control the location of the data. This is important for countries where data needs to remain within its borders.