Ivanti pledges security overhaul after multiple government breaches

Ivanti announced wholesale changes to how it approaches cybersecurity after multiple governments sourced recent breaches back to vulnerabilities in the company’s products. 

Ivanti CEO Jeff Abbott published an open letter and 6-minute video to customers pledging overhaul how the technology-management company builds its products and how it communicates with customers about vulnerabilities.

“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure,” Abbott said.

Those events included breaches at the top U.S. cybersecurity agency and government agencies in Norway. 

“We will use this opportunity to begin a new era at Ivanti. We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers,” Abbott said. “We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come.”

The CEO explained that Ivanti has worked with its board and customers to change its “core engineering, security and vulnerability management practices” while also providing customers with resources so they can deploy Ivanti tools safely. 

He said the company plans to adhere to the Secure-By-Design ethos, embedding security "into every stage of the software development lifecycle." This includes threat modeling, 'isolation and anti-exploit technologies' and an improved vulnerability portal with more information on patches. 

The goal is to make products that are "secure out of the box" and can be managed or monitored by Ivanti. The company plans to expand its security team as well and increase “internal scanning, manual exploitation and testing capabilities.”

In an effort to prove these measures are legitimate, Ivanti also will create a “Customer Advisory Board” that will guide its efforts, Abbott said.

Recorded Future News reported last month that hackers used vulnerabilities in Ivanti products to breach the Cybersecurity and Infrastructure Security Agency (CISA), forcing it to take offline two systems — including the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

A followup report said U.S. officials told Congress that data belonging to more than 100,000 people may have been affected. 

On the same day as Abbott’s letter, Ivanti published patches for four new vulnerabilities but said it has not seen any customers attacked through them.