October’s Cybersecurity Awareness Month seems like a great time to discuss the improvements we are making at The OpenNMS Group to improve our security practices.

For almost 20 years, OpenNMS staff developers and the open source contributor community have partnered to create robust and secure network monitoring platforms available in community-driven (Horizon) and enterprise-ready (Meridian) distributions..

Because OpenNMS deployments have access to sensitive network data within organizations, our developers have always diligently watched for security issues and responded quickly to address significant problems when needed. Security at OpenNMS was collectively “owned” by everyone.

In 2021, I joined OpenNMS as Chief Information Security Officer and began formalizing our security program. Although I still want security as part of everyone’s job, I also wanted our new security team to align our security program to industry standard practices, by making the following improvements:

  • Adopt the ISO/IEC 27001/2 Information security, cybersecurity, and privacy protection framework for the OpenNMS Security Program.
  • Create new Information Security Standards (“rules”) aligned to ISO. We completed phase one in June 2022.
  • Revise our internal software development, operations, and business processes to better align to our new security standards and ISO. We expect to complete this phase two work by year-end 2022.
  • In 2023, we will conduct an audit of our security program to ensure alignment to security best practices as described in ISO 27001/2.
  • Updated our privacy practices to ensure compliance with GDPR and CCPA privacy regulations.
  • OpenNMS recently became a CVE numbering authority (CNA) so that we can now feed vulnerability remediation information into the global CVE database maintained by the non-profit MITRE Corporation. This allows our customers to use industry-standard tools to quickly detect and remediate reported vulnerabilities within our software.
  • Engaged an outside firm to increase security penetration testing for our products and services. Previously all security testing was in-house or by the open-source community, which remain valuable sources of security testing.

We welcome any questions or feedback regarding these security improvements via email ([email protected]) or our customer support team. And thank you for using and contributing to OpenNMS projects and products.

Jeff Jancula, Chief Information Security Officer