In April 2024 the Ivanti CEO issued an open letter on our commitment to product security. We are very proud of the progress we have made, but as we all know, Security is a journey of continuous improvement. Ivanti is committed to this journey and to protecting our customers as the threat landscape continues to evolve.

Similar to other companies that develop network security and edge products, our edge products have been targeted and exploited by sophisticated threat actor attacks. While these products are not the ultimate target, they are increasingly the route that well-resourced nation state groups are focusing their effort on to attempt espionage campaigns against extremely high-value organizations.

Our response to any incident is to learn from it, invest in improving our products, and ultimately make it harder for our products to be abused by sophisticated adversaries. 

A final, important point: we all continue to reap value from important security industry partnerships. By collaborating closely with government and security industry partners we are stronger and more secure together. We thank our collaborators and look forward to redoubling our efforts in the future.

Bolstering Product Security and Embracing Secure by Design Frameworks

  • Specialized Security Resources: the Ivanti Security team is comprised of highly skilled security specialists who support Ivanti’s overall security, and a dedicated Product Security Team focused on the security of our solutions. The size of this team has increased more than 8X over the past few years, along with meaningful elevation in threat expertise.

  • Leading Third-Party Partnerships and Tooling: we have expanded engagements with leading security and threat intelligence experts and utilize industry leading static and dynamic code analysis tooling during the development process to validate the security of our solutions and ensure Ivanti developers adhere to secure coding practices. 

  • Secure by Design Alignment: our development process includes robust security protocols throughout the product lifecycle, including rigorous threat modeling, vulnerability assessment, and security measures specifically to improve our solutions’ resilience against current and emerging threats – additional details can be found on our website.

  • Product Security Optimization: we have invested significant resources in our Ivanti Neurons cloud platform to alleviate the burden of security for our customers, including automated security updates, MFA enabled out of the box, and unified role-based access control (RBAC) system.

  • Network Security Group Enhancements: we have evolved the Network Security Group, which is responsible for developing Ivanti Connect Secure, in both focus, size and product leadership. As of October, this group is led by Michael Riemer – an industry veteran and cybersecurity expert with deep knowledge on this product line. Under Michael’s leadership we have increased internal engineering resources and engaged additional specialized contracted resources, which are in high demand across the network security industry. 

  • Prioritizing Product Security Enhancements for Ivanti Connect Secure (ICS): we have prioritized product security enhancements for ICS. This includes our new 25.x version that upgrades to Oracle Linux OS to be completed in 2H 2025. We have also made other significant security enhancements in our Network Security products such as Secure Boot with TPM key management, Non-Root Privilege Access Control, a modernized web service, and WAF component.

  • Enhancements to the Integrity Checker Tool (ICT): the ICT has been an effective tool at identifying threat actor efforts since its introduction in 2021 and is a prime example of Ivanti’s commitment to proactive security for our solutions. This tool has aided in our forensic efforts and in the case of the vulnerability disclosed on January 8, alerted our customer to threat actor activity on the same day it occurred. This allowed us to respond swiftly and develop a fix for the issue. 

Elevating our Vulnerability Management Program

  • Vulnerability Identification: we have enhanced internal scanning, manual exploitation and testing capabilities, increased collaboration and information sharing with the security ecosystem, and further enhanced our responsible disclosure process, including becoming a CVE Numbering Authority. While this creates a natural and intended increase in vulnerability disclosure (and consequently, media coverage), it is not indicative of increased risk; on the contrary, it demonstrates our commitment to transparency and going above and beyond industry standards.

Providing Enhanced Support for Secure Product Deployments in the Field

  • Platform Upgrades: we are working with customers to accelerate customer migration from End-of-Life solutions, including eliminating barriers—be they contractual, technical, or financial—that slow adoption of our most advanced and secure solutions. Together with our customers, we are making significant strides towards achieving full migration to our latest solutions.
  • On-Prem Security Support: for customers that require on-prem solutions, we have systematically improved our product documentation and are providing best practices to equip them with the tools and knowledge necessary to navigate and mitigate security challenges within their unique operational environments.

Sharing Information with our Customers and Community

  • Information Sharing and Transparency: we have actively participated in events and created multiple forums for dialogue with our customers, which has deepened our understanding of evolving needs, and enabled us to share crucial insights and lessons learned. We have formalized a strategic program to collect feedback from customers throughout the customer's lifecycle, enabling a continuous loop of feedback to ensure ongoing alignment with customer needs.