So this is a fairly general question, but w/all the recent (and not so recent) file-transfer-application related security issues (eg: GoA, Accelion, MoveIt, etc), I was wondering what Liquidfiles might specifically be doing to help prevent such a problem. Additionally, what other users of Liquidfiles might be doing themselves. Sure, I've done basic stuff - enabled auto-update, put the web-gui behind a WAF (AWS WAF in my case), enabled Duo/MFA for authenticated logins, etc. I've enabled some of the basic built-in stuff like BruteForce protection, Admin IPs restriction, and am constantly reducing the GeoIP list (again AWS WAF.) I get there's only so much that can be done or might be worth the RoI on either Liquidfiles company's part or for us end-users. Note, I'm primarily focusing on actual security breaches and not an authorized user accidentally sending the wrong file, for example. Has anyone done (and be willing to share the results of) a pen-test, or code-review? I don't even know how to go about beginning such a task (which I suspect I wouldn't/couldn't do anyway, even if I did!) Again, I realize this is a fairly general question, and most mitigations and attack surface area reductions steps are probably very specific to each user's specific use-case. But if anyone has things they've tried, I'd love to hear them, even if they're built-in to Liquidfiles - maybe you have an interesting way of using feature-x aside from its obvious? Thanks all. PS Yah, the MoveIt breach has caused our local security team to reevaluate mft-like applications again.
LF appliance is distributed with security by mind. There is not required to reconfigure anything after the installation. The application and system security updates are enabled as well. Placing LF behind a proxy or WAF is possible but it's not recommended by us. LF appliance is tested very frequently by our clients some of them are sharing and consults the pen tests results with us. Unfortunately we (LF support) can't publish these pen test reports to protects data of our clients. I can share that when some security issue is discovered by some of the pen test report it's fixed very quickly, usually in few days. So from security perspective most important is to keep enabled the automatic updates or at least read the newsletter or release notes and update manually then.
