Automox Secure by Design Updates

In May 2024, Automox became an inaugural signatory to CISA’s Secure by Design pledge, reaffirming our commitment to delivering proactive and resilient autonomous endpoint management solutions. 

CISA’s Secure by Design program focuses on embedding security principles into every phase of the software development lifecycle, ensuring that products are built with security as a core foundation rather than an afterthought. 

This post provides an update on the progress made since signing CISA’s Secure by Design pledge to enhance the security posture of Automox's products and processes.

Automox prioritizes the security of its customers by implementing multifactor authentication as a fundamental, Secure-by-Default capability. MFA is enabled by default and is provided to all customers at no additional cost.

To prevent exploitation of weak credentials, Automox has always actively enforced robust password policies. This includes blocking the use of default, weak, or previously compromised passwords. 

Automox is actively working on architecture improvements, including increasing adoption of secure baseline images. These efforts aim to reduce entire classes of vulnerabilities across our systems. 

This work is expected to strengthen the security posture of Automox, but it's acknowledged that no approach eliminates all risks. Practices will continue to evolve to stay ahead of emerging threats.

These proactive changes target the reduction of entire classes of vulnerabilities that adversaries frequently exploit. Automox has also taken steps to strengthen internal pipelines to enhance reliability and ensure consistent, secure software signing and delivery.

Automox follows Secure-by-Default principles to automate and streamline patch management. Publicly available incident response scripts address vulnerabilities, helping customers and the cybersecurity community at large strengthen their defenses against common threats. 

Automox also operates "Patch Safe," a monitoring solution for third-party packages, which screens for malware and supports the secure software supply chain.

When agent patches are required, updates are deployed globally without customer intervention unless automatic updates have been intentionally disabled. In such cases, swift communication is provided to encourage prompt action.

Automox also releases several security-related podcasts each month, including the Patch [FIX] Tuesday podcast, and the CISO IT podcast. 

Automox has maintained and operated a vulnerability disclosure program for over two years, inviting researchers to collaborate on identifying vulnerabilities and promoting secure-by-design principles through accountability. 

As a CVE Numbering Authority (CNA), Automox supplements CVE records with essential details, such as CWE and CPE data, to better inform customers and the wider security community.

Automox has integrated security monitoring by including an audit trail which utilizes the OCSF format. This allows organizations to have access to reliable logs for detecting, analyzing, and addressing potential intrusions.

These audit trail capabilities are available without cost to all customers.