2020 Leaves an Imprint on the LabVantage LIMS Security Roadmap

Wednesday, February 24, 2021

Cybersecurity grabbed headlines at the tail-end of 2020 (as if they really needed any more ‘grabbing’), with news in December of massive cyberattacks against the U.S. government. From ZDNet:

“Cyberattackers certainly haven’t given anyone a break this year. Data breaches, network infiltrations, bulk data theft and sale, identity theft, and ransomware outbreaks shows no signs of stopping. Research suggests that remote workers have become the source of up to 20% of cybersecurity incidents, ransomware is on the rise, and we are yet to learn that “123456” is not an adequate password.”

With digital transformation taking hold in companies around the world and workers increasingly offsite, cybersecurity isn’t a concern that will go away. The lesson of 2020 is that we must continue to innovate and adapt, not only adjusting to new work realities but proactively understanding the security challenges which may arise.

With that in mind, here’s a roundup of information about LabVantage LIMS security – steps we’ve taken, areas of concern, future direction, etc.

New Releases Rolling Out Now; More to Come
LabVantage takes your security very seriously. We have been extremely active over the last eight months, implementing new features and improvements to protect the integrity and privacy of your data for current and upcoming versions of LabVantage.

Product Roadmap
You’ve may have heard some different numbers referring to the versioning scheme for LabVantage. That’s because we had a few small changes along the way, so let’s start by clarifying the current roadmap.

LabVantage 8.6 was released ahead of our original schedule in December 2020. What’s unique about version 8.6 is that the changes were almost entirely security-related improvements. These include a completely new set of security features intended to make LabVantage less vulnerable to web-based intrusion. These features are designed to protect your system against possible concerns identified not only by LabVantage’s internal teams, but also by independent third-party organizations (more details on that in a moment).

We’ve also made a number of changes to “harden” the system. Magic byte detection technology has been added to attachments and file upload to prevent malicious files from infiltrating the system. We’ve also reviewed and upgraded all third-party libraries — just as we would for a major release — to eliminate compatibility issues and security vulnerabilities.

LabVantage 8.7, coming later this year, will focus on a new portal feature that enables a subset of the LIMS to be accessible to users outside the lab through a separate login. This offers many new benefits to labs, but of course, once you start exposing the portal to the big wide world, you have less control over who uses the system and cybersecurity becomes a much more critical issue. For this reason, the security enhancements being launched in version 8.6 have been developed in tandem with the portal program, so they’ll go seamlessly with this new functionality when it becomes available.

Enhancing Security Today and Tomorrow
When implementing security considerations for version 8.6 and beyond, we’re paying a great deal of attention to the major web application security risks identified by the Open Web Application Security Project (OWASP). In particular, we’re focusing on the “OWASP Top 10”, a third-party awareness standard for developers and web application security, which represents a broad consensus about the most critical security risks to web applications.

It’s important to understand that the OWASP Top 10 is something of a moving target. The threats it covers could be different tomorrow, next week, or next year. And while specific items on the current list definitely need to be confronted, what’s more important is how LabVantage is changing its culture to keep security constantly in the forefront of everything we do.

To make that happen, we’ve implemented a four-part strategy:

  1. Add robust new security features to the software itself based on the recommendations of independent organizations like OWASP, end users, and our own internal security teams.
  2. Update most processes, including standard operating procedures and work instructions, to foster a culture and process procedure that prioritizes security.
  3. Step up security training for R&D company-wide, as well as the entire engineering staff, support, professional services, partner organizations and others to make sure everybody is aware of cybersecurity vulnerabilities. As part of this effort, we’re also introducing ongoing lunch and learn topics and a Certified Ethical Hacker prep training course.
  4. Proactive identification of vulnerabilities using automated source code scanning and quality gates, a regular R&D “hackathon” where our own expert developers try to hack their own software, plus regular penetration testing by an objective third-party organization.

Where to Learn More
The security improvements discussed here are merely highlights of the changes being implemented — far too numerous to be covered here —to improve security in version 8.6 and beyond. Full details are available in the release documentation and help documentation for LabVantage 8.6.