back to article Ivanti commits to secure-by-design overhaul after vulnerability nightmare

Ivanti has committed to adopting a secure-by-design approach to security as it gears up for an organizational overhaul in response to the multiple vulnerabilities in Connect Secure exploited earlier this year. CEO Jeff Abbott penned an open letter to Ivanti's customers and partners this week, saying "events in recent months …

  1. Dan 55 Silver badge

    Q1 results are in... CEO sends out missive

    Shouldn't it be the CTO reacting a little earlier than this?

  2. Zibob Bronze badge

    Only after the fact

    This is infuriating to me. They know there is serious security concerns with holding sensitive information, yet design the business such that security is the later thoughts after money.

    Anyone operating with this sort of information should be default security before all and then have it verified and tested, not just call it good and expect it not to be pushed, that's how we end up here with sensible, but in context utterly idiotic statements like "we have been humbled" and going forward with security-by-design now that it has happened.

    Nah, that should be grounds for the company board and engineers fired and the project given to more responsible people.

    Security should be the default JOB 1. Then the functionality while maintaining the security.

    1. Nate Amsden

      Re: Only after the fact

      They have a short memory, a few years ago there was another few big security bugs that caused a bunch of issues. I remember providing feedback on multiple support cases at the time and they would ask something like "what could we do better?" and I said make it more secure... and it seemed they got better for a while till again things fell apart again.

      Fortunately none of the issues caused any compromises on my end. Thanks to El Reg and Arstechnica for the good reporting.

      1. GoneFission

        Re: Only after the fact

        They decided the PR cost from the fallout of another incident would be less than continuing to adhere to secure practices in development and design

      2. Anonymous Coward
        Anonymous Coward

        Re: Only after the fact

        How many years ago? Ivanti only acquired Pulse Secure at the end of 2020. They've owned those products a bit more than three years, which frankly ought to have been enough time to make major improvements in the development process, but those things do take some time.

        I think an important lesson here is "be careful about acquiring software product lines". I've been a bystander in more than a few acquisitions of that type, and often diligence for software-product quality, security, and development process is not great. (In the most recent one I was pleased to see the purchaser compiling information about some of these aspects prior to close. It shows they're aware of the potential risk and looking to mitigate it, at least.)

        1. Anonymous Coward
          Anonymous Coward

          Not sure how the timeline for the 2020 breech and the aquisition line up

          but it's clear that they already went pants down once in recent years and didn't address the deep institutional problems. Now that they are eyeballs deep in fallout a second massive breech, they are waving their arms about change. Bit late. I'm prone to letting someone else prove a unreliable vendor is reliable for a few years after an incident like this, after they cause me to lose sleep. I will watch from the relative safety of a competitors solution till the dust settles if I have my way.

          It's nice the C levels are announcing they promise to fix things. Tell sales to lose my number until then.

  3. Anonymous Coward
    Anonymous Coward

    They still have customers?

    Seriously, who would stick with them after everything that happened, and the way they handled it? We couldn't drop them fast enough. 8,000 seats. Gone.

    1. HuBo
      Joke

      Re: They still have customers?

      But ... wait ... look ... they have this real solid plan now:

      "AI is being applied all over the place to further this goal, from Ivanti's customer portal's search functionality to an AI-powered Interactive Voice Response"

      AI! That will solve everything!

      1. Michael Wojcik Silver badge

        Re: They still have customers?

        Might be a more attractive target than Ivanti Secure Access, though.

    2. Anonymous Coward
      Anonymous Coward

      Re: They still have customers?

      I hope you moved to Fortinet. Might as well just remove the door from the hinges.

      1. Michael Wojcik Silver badge

        Re: They still have customers?

        A good point. Most of the VPN appliance products seem to regularly rack up CVEs. Remember that fun Fortinet ssh backdoor back in 2016?

        VPNs are part of defense in depth, but you want a lot of depth.

  4. I am David Jones Silver badge
    FAIL

    Long-time vendor of security software only now decides to go for security by design.

    .slow clap.

    1. Michael Wojcik Silver badge

      Actually I think Ivanti has only been a "security software" firm since 2013, when LANDESK acquired Shavlik. Though I guess a decade counts as "long-time" in this industry. And LANDESK has been around in one form or another since the mid-1980s, so the corporate culture really ought to have had time to optimize a bit toward safer software.

      (Yeah, glass houses. I know. I am reminded daily.)

  5. Anonymous Coward
    Anonymous Coward

    Ancient Joke

    Outside: Knock, knock.

    Inside: Who's there?

    Outside: Supply Chain.

    Inside: Supply Chain who?

    Outside: Supply Chain Attacker!!!

    ...with thanks for contributions by SolarWinds and xz......

    1. Michael Wojcik Silver badge

      Re: Ancient Joke

      Damn it, now I have the image of an anime character yelling "Supply Chain Attack!"1 before unleashing his formidable Solar Wind2 power stuck in my head.

      1サパーライー・チェーイン・アタックー!!

      2ソーラー・イーンドー!

  6. Anonymous Coward
    Anonymous Coward

    How many of the previous owners knew / didn't know about the PulseSecure problems???

    So before Ivanti their VPN product PulseSecure was maintained by a company of the same name, which itself was sold off from Juniper, who bought it from Netscreen, who acquired the original creators Neoteris. Some of the now exposed issues probably existed several owners ago - all of whom either knew and accepted the risks or didn't do proper due diligence. Have been a customer since the Neoteris days - and have now abandoned the platform, will not consider Ivanti again, given how this was handled.

    1. Michael Wojcik Silver badge

      Re: How many of the previous owners knew / didn't know about the PulseSecure problems???

      Reports in SANS and elsewhere made reference to "old PHP code" and that sort of thing, which certainly doesn't inspire confidence.

    2. Sven Coenye
      Flame

      Re: How many of the previous owners knew / didn't know about the PulseSecure problems???

      IIRC, Juniper was the one with the backdoor annex catflap in their firewalls in 2015, so this sounds like par for the course...

    3. Anonymous Coward
      Anonymous Coward

      Re: How many of the previous owners knew / didn't know about the PulseSecure problems???

      I wonder if I should re-open my security bug report ticket and see if its now worth any money.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like