A batch of new vulnerabilities has drawn a mea culpa from Ivanti’s CEO, and a promise to embrace secure-by-design methodologies.
In an open letter, CEO Jeff Abbott said the “increasing complexity of the threat landscape and the specific evolution of threat-actor tactics … has brought one of our products to the forefront of conversation regarding recently reported security incidents.”
Abbott said the company is “taking a very close look at our own posture and processes to ensure we are well prepared to address the current landscape.”
He said Ivanti has engaged “the industry’s most recognised security and product development experts”, with a plan “backed by a significant investment and has the full support of our board of directors and everyone at Ivanti.”
The company will adhere to secure-by-design principles, the letter said, optimising products for security and trust and reducing the security burden on customers.
Ivanti’s vulnerability management program will be bolstered, with “risk-based patching and vulnerability remediation.
Ivanti also promises more secure deployments in the field, and better information sharing.
The year began badly for the company, which had to patch two exploited zero-day bugs in early January.
A bug discovered during that investigation was revealed as being exploited in February, leading to the release of a new security tool in March.
In mid-March, Ivanti had to move on two more critical vulnerabilities: CVE-2023-41724, a remote code execution bug in its Standalone Sentry product; and CVE-2023-46808, a remote file write bug in its Neurons for ITSM product.
The company has also patched a number of sub-critical vulnerabilities in its Ivanti Connect Secure product.