Hello Matthew,

Thank you for sharing this story. I recently have been struggling with this kind of setup and whether or not the risks associated with supply-chain poisoning outweigh the benefits. In my case, I am conflicted on whether a software developer should use Octopus Deploy to patch their own products on non-owned, mutually exclusive, customer networks. My general position had been a “no” but I was unable to articulate why. In passive chat within our DevOps teams and in multiple communities the general feeling was the same.

I started my research with a question to the developers whether or not a case like like mine would fall within the intended usage of Octopus Deploy. The answer was a resounding “yes” and followed up with:

We are not concerned with if the agent is installed on company-owned or non-owned computers.

Juxtaposed against Octopus Deploy are the many RMM and configuration management tools that arguably pose the same kind of risks. I was trying to understand whether there was a conceptual difference between an IT supplier using those tools and a software developer using Octopus Deploy to update their own software. The only difference I could think of is that there is a functional difference between an IT supplier and a software developer, in that the IT supplier is responsible for the environment while the software developer has a narrow-focus on their product. Arguably, Octopus Deploy itself is safer than many of the RMM tools, so that was never the issue for me. For me, the argument was whether this was the right tool in the wrong hands.

To make matters slightly more complicated, in all cases involved the hundreds of customers involved have their own IT vendors that look after the environments. In contrast to your managed systems — where I suspect there is little flexibility on the user/system side and even the fluid configurations are fairly standard, the environments involved here differ substantially from each other with users being office workers with full freedoms of their systems.

In my view, there is a line that needs to be drawn in the sand where the use of Octopus Deploy is no longer acceptable. The fear is that hundreds of tenants connected to a software-developer without any obligation for uptime, with conflict against IT suppliers, and without disclosed security governance (refusal to respond to VSAQs, no responsible custodians over security, and multiple examples of poor security practices) would ultimately empower a malicious actor to cause grave harm with little friction.

Do you believe a software developer/vendor should be able to install tenants only to deploy/manage their own suite of software on decentralized customer networks? What obligation do you think they have over disclosing their internal security policies? Do you believe they should communicate risks clearly? Should they carry the burned of responsibility an incident transpires? Or, simply, am I losing sleep over the wrong issue here and that they introduce no additional risk than that which and IT supplier might with RMM?