Security with iTop: at the heart of our development strategy

As the year gets under way, we at Combodo, iTop‘s software editor, are strengthening our security approach. We are releasing corrective versions with many security fixes for both LTS and STS versions, along with key environment security modules such as multi-factor authentication (MFA) and a new Oauth-based authentication. These updates demonstrate our ongoing commitment to improving iTop’s security.

A structured, proactive approach

Security has always been a cornerstone of iTop’s development, built on three key principles :

Integrated security features

• Secure authentication: iTop already offers advanced authentication mechanisms such as SSO (Single Sign-On), protection against brute-force attacks and now MFA.
• History and traceability: iTop keeps a record of every interaction, for precise monitoring of operations.
• Secure communication: iTop enables direct discussions within the solution, rather than by e-mail, reducing the risk of information leaks and therefore protecting users’ personal data.

Security testing

• Regular audits: Independent specialized companies perform periodic security tests on the solution and its environment to ensure the highest level of security.
• Dealing with vulnerabilities: Following up from the audits, we ensure that any identified security vulnerabilities are addressed via , a public, documented process guaranteeing prompt rectification

Compliance with security standards

• Market standards, NIS2 and SecNumCloud: while Combodo is not eligible for European NIS2 certification or even SecNumCloud , since SNC is mostly for large businesses, we have taken steps to ensure iTop meets as many of these two certifications’ criteria as possible, aligning our security policy with current best practices.
• Continuous improvement: to ensure iTop’s security policy continues to evolve proactively, we have introduced ANSSI security rules, working with certified service providers, and investing in CISO and DPO roles.

Focus on iTop’s new security features

Combodo has decided to reinforce the security aspect of iTop’s development strategy, introducing new modules to secure its environment.

Multi-factor authentication (MFA)

Today, MFA is an essential market standard when it comes to access security. In iTop, we have implemented:

• Authentication via a mobile application or e-mail code: A basic principle of MFA, this dramatically reduces the risk of unauthorized access by adding an extra layer of security, even if passwords are leaked or stolen. An IT administrator who uses iTop on several devices, for example, can secure each connection with a unique code sent to their cell phone.
• Recovery codes: Users retain secure access to their account even in the event of unforeseen circumstances (e.g. lost password), guaranteeing business continuity. The MFA module will suggest a series of unique codes to recover the login ID. An external consultant who is working on a project, for example, can regain access to their account even if their phone is lost or stolen.
• Compatibility with professional solutions (Windows Hello, U2F, FIDO2): Businesses can incorporate advanced authentication, such as fingerprints or facial recognition, bringing iTop into line with security best practices while simplifying the user experience.
• Flexible configuration to suit specific requirements: Administrators can define global rules by organization and profile, while individual users can customize their security settings according to their preferences. This approach guarantees a tailor-made, secure experience. A technical support team can then define strict security policies for its members, while giving project managers greater flexibility.

MFA will soon be available on iTop Hub, stay tuned !

Webhook OAuth: a new authentication standard

The OAuth webhook simplifies and secures traditional login/password systems, and is becoming a common requirement for many identity managers:

• Increased security thanks to a standardized protocol. Sensitive data is further protected by an industry-recognized secure protocol, to reduce the risk of accounts being compromised. Power Automate users can then connect to iTop without sharing a password, reducing the risk of data leakage.
• Anticipation of technology developments. Users remain compliant with market standards, avoiding compatibility problems in future. For example, implementing OAuth today means a SaaS provider who wants to add iTop to its ecosystem has guaranteed integration continuity.
• Compatibility with third-party solutions such as Power Automate, Teams, Slack, Googlechat and RocketChat. Businesses can add iTop to complex IT ecosystems with no extra effort, for maximum interoperability and productivity.

Corrective Releases: Upgrade to iTop 3.2.1 Now

Three new releases are now available! They update the active versions of iTop and are part of our well-established and planned corrective maintenance process, allowing users to anticipate their version upgrades.

The latest wave of releases includes two LTS (Long Term Support) versions—iTop 3.2.1 and iTop 2.7.12—as well as one STS (Short Term Support) version, iTop 3.1.3. All of them include bug fixes and security enhancements.

Current Versions Overview :

• iTop 2.7 (LTS): Maintained until Q3 2025
• iTop 3.1.3: Final maintenance release of STS 3.1
• iTop 3.0: No longer maintained
• Only the lastest version of each extension is maintained

Find here the full version, release, and end-of-support schedule.

Future-oriented safety

By integrating these security standards iTop is proving its ability to anticipate market trends and provide robust, configurable solutions. While we don’t claim to be innovating on existing standards, our development emphasis is on the flexibility and scalability of these features, and ensuring continuous improvement for our security strategy.

With these updates, iTop users can address security issues with confidence, in the knowledge that the solution meets current standards and is ready for future challenges. Safety is not just an obligation, it’s a lasting commitment for Combodo and our user community.