Pricing  Get Quote
 
 

Security and
vulnerability management in ADSelfService Plus

Security has always been at the forefront of ManageEngine's priorities. We have taken multiple measures, from employing multi-level security checks during development to third-party penetration testing, to ensure ADSelfService Plus is secure and caters to the security requirements of our customers.

Every step of the development of the solution is subjected to a rigorous testing process by multiple security teams to find security flaws. We make sure to fix any issue reported as soon as possible, whether it is identified by our internal teams, external communities or experts.

       
Product Testing Procedures for ADSelfService Plus

Security assessment By the ADSelfService Plus Security Team

 

Security and compliance Testing by the ManageEngine Security Team

 

Internal and external Vulnerability reporting Programs

 
  

1 Security assessment by the ADSelfService Plus security team

The ADSelfService Plus team follows security procedures at every stage of feature development to ensure that the product is secure against cyberattacks.

  • Before starting development of a new feature, the security team assesses its architecture and design. The main focus of this review is to ensure that the various modules designed for this new feature meet the required security norms.
  • Once the feature is developed, the code is reviewed by our security team for any violation of coding and security standards.
  • Before releasing the feature to the public, we perform a round of black-box and white-box testing. This is done to ensure that the feature works as expected, and the code is scrutinized for other possible flaws.

2 Security and compliance testing by the ManageEngine security team

Besides the ADSelfService Plus security team, there's also a dedicated security team at ManageEngine whose goal is to ensure that all ManageEngine products comply with stringent IT security norms.

The ManageEngine security team performs the following tests on ADSelfService Plus before every release:
  • Static code analysis: Using in-house tools, the entire product code repository is checked for code-level vulnerabilities and third-party dependencies.
  • Authentication testing: These tests identify any flaws in the different authentication procedures of ADSelfService Plus.
  • Authorization testing: At this phase, the different user roles and permissions are checked to ensure they've been assigned correctly.
  • Security misconfiguration: The various third-party components and all the configurations used by these components are checked to ensure they're in proper order.
  
  

3 Internal and external vulnerability reporting programs

ManageEngine also conducts bug bounty programs where individuals or groups from within ManageEngine along with external people, communities, and security experts can notify us if any vulnerability in our solutions has been identified. We immediately begin working on developing and releasing a fix for the vulnerability in such cases.

Here’s what we do if a vulnerability is reported:
Internal and external vulnerability reporting programs
The response time to develop and release the fix is based on the following criteria:
  • Critical-severity vulnerabilities will be addressed immediately (within a day of discovery).
  • High-severity vulnerabilities will be fully addressed within seven calendar days of discovery.
  • Medium-severity vulnerabilities will be addressed within 30 calendar days of discovery.
  • Low-severity vulnerabilities will be addressed within 60 calendar days of being discovered.

4 Third-party pen testing

The ADSelfService Plus team has partnered up with WeSecureApp, an independent application security company, to conduct manual pen tests on ADSelfService Plus, so that we get a third-person perspective on the security footing of the solution. Pen tests are conducted once every quarter. The vendor also conducts these tests yearly on the ADSelfService Plus mobile apps for iOS and Android.

  
  

5 Ensuring the fix reaches our customers

We notify customers about vulnerability fixes in several ways:

  • We announce the release of the fix on this page.
  • Regular updates containing new features, enhancements, and bug fixes are released at frequent time intervals and recorded here.
  • We make public announcements.
  • We keep our customers updated by making announcements within the product console.
  • We cover security updates in our product newsletters.
  • We announce the release of the fix in our product forum.
  • Based on the severity of the vulnerability, we also send emails to customers.

Security Documents

Safeguard user access to endpoints with a
second factor authentication.

Download Now  

ADSelfService Plus also supports

  •  

    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  
  •  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  
  •  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  
  •  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  
  •  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  
  •  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products