This release adds several important security features to Movere. In addition, our new application dependency mapping feature, Movere FWD, goes live for all users!
With Movere FWD, we’re excited to introduce new functionality for application dependency mapping, which enables users to identify and document all the dependencies of an organization’s applications in order to understand their performance and interaction across all systems.
In addition, you will be able to create tags and apply them to devices and workloads directly within the FWD view:
At the same time, ensuring security for our customers continues to be a top priority for our team at Movere. With our upcoming release, we’re further hardening our technology to provide organizations with enhanced control over their environment as a first defense in a robust security strategy.
These updates include the Movere Installer, which increases bot and executables security by allowing only users with the appropriate permissions to access and run the updated Movere Console (version 22.214.171.124). It also extends to Magic Word functionality, which requires a user to create a locally-stored password upon first opening the Movere Console that will be required every time the Console is opened. Finally, Internal Communication Encryption between the Movere bots and the Console will happen over SSL and use port 443 by default.
This may be important to you: If you have not recently downloaded a token to your Console, please do so prior to August 22nd to ensure minimal disruption. Our engineers have done amazing work to lengthen the backwards compatibility window of prior Consoles, which will continue to work post-release.
Frequently Asked Questions:
What is the driving factor for the timing and nature of this release? As you know, Movere is SOC2 Type 2 certified. As part of those ongoing efforts, Movere undergoes periodic in-depth security reviews to ensure we continue to offer the most secure product possible. This release gives us the opportunity to launch several strategic security updates in advance of our next SOC2 audit, (scheduled for Q4 2019).
Why is Movere updating to require installation? The Console will now download with an installer (binary) and the user downloading the Console will choose the specific installation destination. Leveraging an installer allows Movere to set permissions at the folder level.
Will the new Console leverage certificate pinning? Movere will leverage certificate pinning to ensure all files are transferred over encrypted communication channels both externally and internally by use of self-signed certificates on the Console and end-point devices.
Will the new Console change existing scanning methods, such as scanning ESXi or SQL? No, the Console will retain all previous scanning functionality. ESXi and Xen systems will now be targeted directly via a Linux scan, rather than system-specific scanning. These options will be removed from the new Console.
Will Movere still allow customers to specify what internal port they wish to scan over? No, the new Console will restrict internal communication over SSL and leverage port 443 only.
When will the previous version(s) of the Console be deprecated and stop working? Previous versions of the Movere Console will stop working once their current token.txt file expires. Tokens are valid for 90 days, and you can check the status of your current token file on the Upload to Cloud tab in the Console. Previous versions of the Console will continue to function until the token file expires, after which time upgrading to the new Console will be required. With all of the security updates we've packed into this release, however, we highly recommend that all users download and run the new version as soon as possible.
Will the new Console change the minimum requirements and/or permissions for scanning? Yes, the new Console will now require .NET 4.7.2 to be installed on any machine running the Console.
Will the new Console install to attached, removable, or shared storage drives? What about cloud storage drives? The new Console must be installed and run from a mapped or mounted drive. The default installation path will install the Console to the Program Files folder on the Local Disk (C: drive).
How will command line scanning change with the new Console? When running the new Console from a command, you must enter the Magic Word in clear text before entering the command string variables, using this flag: -magicword:magicword123!. This flag should be added before any other variables, for example: Movere.service.exe -magicword:magicword123! -ad -upload.
If running multiple Movere Consoles within a single environment, will each Console require their own Magic Password? Yes, each Movere console will require a Magic Word, so if you are running multiple Consoles in your environment, you will need a Magic Word for each Console.
Will Movere require a periodic reset for the Magic Word? No, there will be no reset policy for the Magic Word. The Magic word will only be required to open a Console that contains credentials; if a Console does not contain any credentials, Movere will prompt for creation of a new Magic Word when opened.
What roles and permissions are required to install Movere? The new Console can only be installed by an active Movere user registered at the customer tenant level with the Write permission.
What is the size of the installation file? The installation file is 2MB, and the Movere Console installs as a 31.5MB uncompressed folder.
What do I do if I forgot my Magic Word? If you forgot your Magic Word, you will need to download and install a net-new Movere Console with a brand-new Magic Word.
How often will Movere ask for the Magic Word? Movere will prompt for the Magic Word whenever the Console is opened, (as long as credentials are stored in that Console).
Can a user who did not install the Console or create the Magic Word run a scan? We strongly recommend that users do not share their Magic Word with other users.
Can Movere still be run locally on a target device? Yes. When running the new Console locally, you must copy the certificate file to the target machine, in addition to the Movere bots, token file, and Framework Verifier. Additionally, you must login to the target machine with the user account that has the required access to the target system. For example, if scanning a SQL server locally, you must login to the server with the account that has access to the SQL instance in order to collect SQL data.