Ivanti Blog: Posts by

From legacy to security: Ivanti Connect Secure

Thu, 24 Jul 2025 15:36:33 Z

When I took on leading the Network Security Group (NSG) at Ivanti in October 2024, it was a bit like a homecoming for me. You see, I spent almost two decades overseeing the development of these products before moving on to other responsibilities at Ivanti. NSG is responsible for building and maintaining Ivanti Connect Secure, Policy Secure, and Neurons for ZTNA, among other solutions. So, when I returned to leading this group, I had the benefit of already knowing these products, their history, and what matters most to our customers who depend on the connectivity and security that they provide.

So I, more than most, appreciate the significant progress we have made. In April 2024 we made a commitment to embed Secure by Design into the DNA of our organization. Due to the nature of this work, it has been executed largely internally and without fanfare. Today, coinciding with the release of Ivanti Connect Secure 22.8, I am going to pull back the curtain, show you what some of this has looked like in action, and share a number of important outcomes made possible by the hard work and dedication of the Ivanti team.

Building and enforcing a security culture

The standard SDLC process, used for many years throughout the industry, was to conduct security tests at the end of the development lifecycle, during the testing phase. Products or features would go through planning, design, and development before any security considerations were taken into account. This approach is still prevalent among many development teams throughout the industry.

The new framework of secure software development, which Ivanti has adopted and is at the heart of Secure by Design, has security integrated into every stage of the development lifecycle, beginning at the planning stage and taking place at every other stage along the way. It takes a great deal of work to implement, and I believe that Ivanti is one of the few companies today that is firing on all cylinders across this framework.

At first, this change in process was met with initial resistance from the engineering team, and concern that it would add even more work to their plate. But a light bulb moment I have seen happen throughout the internal team is the pride they feel when code that they have created comes back at each security checkpoint clean. It’s become a friendly challenge for the team, a sense of pride, and a powerful tool for mastering secure coding practices.

Looking at features from the adversary's perspective

Product management has historically been prioritizing feature functionality for customers, with security considered after it’s been built. While features optimizing functionality is still important, now as we are planning new features, we don’t just look at it from how the customer will use it, we spend an equal amount of time looking at how a bad actor might misuse it for potential threat activity.

This mind shift has naturally pulled security through the entire development cycle of the product and anchors every decision we make.

Minimizing the attack surface

We’ve taken a two-pronged approach to the security hardening of Ivanti Connect Secure. Our first focus has been on implementing targeted updates – known as point fixes – to mitigate risk and eliminate tech debt in the current product version in the market. When a product is decades old, it acquires tech debt, which we are addressing as part of our proactive maintenance to ensure the products our customers rely on remain secure.

We are aware that our commitment to scrutinizing code and transparently issuing CVES and fixes has resulted in some negative attention. In spite of this, we continue to choose to prioritize security, and we are extremely proud of the areas we have reinforced and improved. To be clear, while rigorous examination means an increase in CVEs, it is not an indication of weakness in the product, but instead an indication of the intense scrutiny we have subjected this product to.

In addition to these point fixes, the team has spent the majority of their time working on rearchitecting the product. This is hard, time intensive work, and we released the newest version today. We know that these efforts ensure our solutions are protected and optimized for our customers' needs.

Introducing Ivanti Connect Secure 22.8

Security is a journey, and today we reached a key milestone on this road, but we aren’t resting. If Ivanti Connect Secure was a house, then we've been focusing on putting bars on windows, securing the front and back doors, upgrading the alarm system, and making sure there aren’t any holes in the roof. You can read more about this new version and the important security enhancements here.

Because this is a journey, that means we are committed to it for the long haul. The cyber landscape continues to evolve, and so will we. Going back to my analogy of Connect Secure being a house – next we’ll focus on upgrading the cabinets, fixing the locks on the desk drawers, and replacing the insulation. In practice, we’re closely examining how to increase the use of memory safe language in the product, adding layers to the security of the appliance, and considering what features to add for our customers functionality in a secure manner.

This release of Connect Secure 22.8 marks a pivotal moment in our journey to Secure by Design, in that it transforms a legacy product into a forward-thinking solution on a journey. While we can never predict the future, we can influence it by our actions today. That is what Ivanti signed up for when we committed to our customers and the industry that we would be Secure by Design.

Secure by Design Principles Are More Important Than Ever

Thu, 18 Jul 2024 07:36:39 Z

The concept of Secure by Design, which means designing software with security built in before it leaves the drawing board, is fundamentally changing how software is developed.

Software has often been designed with what’s known as “bolt-on security,” added after products are developed. But that means security is not inherent within the solution. Where there's a conjunction between the core product and a bolt-on, that’s an inflection point for an attack.

That’s why a software provider’s commitment to Secure by Design principles has become so important – and why Ivanti was the first signatory to the Secure by Design Pledge of the U.S. Cybersecurity & Infrastructure Security Agency (CISA).

Providers who sign the pledge promise to follow principles set forth by CISA. These stress weaving security measures into the very core of a solution, from its initial conception to final deployment. This makes the solution inherently resistant to attacks out of the box, rather than having to patch vulnerabilities after customer adoption – when it’s often too late to stem damage.

A fundamental security design principle

The shadow that’s dogged the advance of digital technologies at nearly every turn is how cyber attacks have evolved to inventively exploit them. Today, they threaten to metastasize across hybridized networks, blackmail or disrupt enterprises, diminish customer confidence and deliver body blows to business bottom lines. But in the eyes of CISA, they’re also a very tangible threat to national security.

By emphasizing a new, fundamental security design principle – that security should be designed into software from its earliest planning stages – Secure by Design will translate into more robust defenses against modern attackers who may be driven by profit or politics, or both.

From Ivanti’s perspective as a pledge signatory, it’s important to take every step necessary to be aligned with Secure by Design principles. Providers must ask themselves questions like: Are we using a programming language that’s designed from a Secure Software Development Framework (SSDF) perspective to be memory-safe? Do we perform regular threat modeling to identify possible vulnerabilities? Are we using third-party libraries or components? What’s their security posture?

Answering these questions demands a focus on security during the entire Software Development Lifecycle (SDLC), which involves:

Embedding Secure by Design principles across the whole process rather than waiting until code is written, so security is a focus throughout planning and design. This means thinking about potential threats and designing defenses into the software.
Catching vulnerabilities early by incorporating comprehensive security testing throughout development. This avoids the cost and complexity of doing so later during SDLC or after release.

This represents moving beyond a “shift left” approach. In applying Secure by Design principles, developers now perform static application security testing and dynamic application security testing within the code set and conduct unit testing and integration testing during the entire SDLC process rather than delaying testing or threat modeling to the end. As part of this, they become accustomed to using testing tools almost daily.

Beyond secure software

Putting Secure by Design principles into practice is about more than writing and testing secure code. It's about taking a holistic approach to cybersecurity where a robust defense is built upon a secure organization. This involves measures like:

Identifying weak points: It's crucial to understand where vulnerabilities exist within the organization, not just in software code. This means analyzing and optimizing multiple aspects of cybersecurity, ranging from employee training programs to security software patching and the company’s overall security posture.
Protection and monitoring: Organizations need solid cybersecurity tools in place to actively – even proactively – manage risks. Those include monitoring systems for detecting suspicious activity and safeguards like firewalls to reject cyberattacks in the first place.
Incident response: A crystal-clear plan for responding to cyber attacks is indispensable. It should outline how to detect an attack, assess its impact and take steps to recover and improve security measures.

There’s a further aspect of implementing a secure software system based on Secure by Design principles: When people talk about Secure by Design, they’re often really referring to the “security by default” approach. These are complementary concepts. While Secure by Design means security considerations have been embedded in the product across its entire development lifecycle, security by default means the final product is secure out of the box, without the user having to go through extensive configuration. It’s already set up to deliver measures like secure logging or software authorization profiles, and it prioritizes forward-looking security over backward compatibility.

Customers benefit from Secure by Design

When a software provider delivers solutions and platforms that follow Secure by Design principles, the benefits that matter most are the ones the customer experiences:

Improved protection: When security features are built into software from the start, it's stronger and less vulnerable – and so is the network it’s running on.
Enhanced DEX: Greater focus on security and testing during development can result in a more optimized product that’s more stable and disruption-proof, improving employee experience.
Better ROI: A more secure product can minimize downtime and patching so users stay productive.
Streamlined compliance: Adhering to stringent data privacy and security mandates can be easier with Secure by Design software, cutting the time and resources needed to pass compliance checks and preventing penalties.
Enhanced reputation: Companies that make security a top consideration are seen as more trustworthy, which can enhance customer confidence and loyalty.