When I took on leading the Network Security Group (NSG) at Ivanti in October 2024, it was a bit like a homecoming for me. You see, I spent almost two decades overseeing the development of these products before moving on to other responsibilities at Ivanti. NSG is responsible for building and maintaining Ivanti Connect Secure, Policy Secure, and Neurons for ZTNA, among other solutions. So, when I returned to leading this group, I had the benefit of already knowing these products, their history, and what matters most to our customers who depend on the connectivity and security that they provide.

So I, more than most, appreciate the significant progress we have made. In April 2024 we made a commitment to embed Secure by Design into the DNA of our organization. Due to the nature of this work, it has been executed largely internally and without fanfare. Today, coinciding with the release of Ivanti Connect Secure 22.8, I am going to pull back the curtain, show you what some of this has looked like in action, and share a number of important outcomes made possible by the hard work and dedication of the Ivanti team.

Building and enforcing a security culture

The standard SDLC process, used for many years throughout the industry, was to conduct security tests at the end of the development lifecycle, during the testing phase. Products or features would go through planning, design, and development before any security considerations were taken into account. This approach is still prevalent among many development teams throughout the industry.

The new framework of secure software development, which Ivanti has adopted and is at the heart of Secure by Design, has security integrated into every stage of the development lifecycle, beginning at the planning stage and taking place at every other stage along the way. It takes a great deal of work to implement, and I believe that Ivanti is one of the few companies today that is firing on all cylinders across this framework.

At first, this change in process was met with initial resistance from the engineering team, and concern that it would add even more work to their plate. But a light bulb moment I have seen happen throughout the internal team is the pride they feel when code that they have created comes back at each security checkpoint clean. It’s become a friendly challenge for the team, a sense of pride, and a powerful tool for mastering secure coding practices.

Looking at features from the adversary's perspective

Product management has historically been prioritizing feature functionality for customers, with security considered after it’s been built. While features optimizing functionality is still important, now as we are planning new features, we don’t just look at it from how the customer will use it, we spend an equal amount of time looking at how a bad actor might misuse it for potential threat activity.

This mind shift has naturally pulled security through the entire development cycle of the product and anchors every decision we make.

Minimizing the attack surface

We’ve taken a two-pronged approach to the security hardening of Ivanti Connect Secure. Our first focus has been on implementing targeted updates – known as point fixes – to mitigate risk and eliminate tech debt in the current product version in the market. When a product is decades old, it acquires tech debt, which we are addressing as part of our proactive maintenance to ensure the products our customers rely on remain secure.

We are aware that our commitment to scrutinizing code and transparently issuing CVES and fixes has resulted in some negative attention. In spite of this, we continue to choose to prioritize security, and we are extremely proud of the areas we have reinforced and improved. To be clear, while rigorous examination means an increase in CVEs, it is not an indication of weakness in the product, but instead an indication of the intense scrutiny we have subjected this product to.

In addition to these point fixes, the team has spent the majority of their time working on rearchitecting the product. This is hard, time intensive work, and we released the newest version today. We know that these efforts ensure our solutions are protected and optimized for our customers' needs.

Introducing Ivanti Connect Secure 22.8

Security is a journey, and today we reached a key milestone on this road, but we aren’t resting. If Ivanti Connect Secure was a house, then we've been focusing on putting bars on windows, securing the front and back doors, upgrading the alarm system, and making sure there aren’t any holes in the roof. You can read more about this new version and the important security enhancements here.

Because this is a journey, that means we are committed to it for the long haul. The cyber landscape continues to evolve, and so will we. Going back to my analogy of Connect Secure being a house – next we’ll focus on upgrading the cabinets, fixing the locks on the desk drawers, and replacing the insulation. In practice, we’re closely examining how to increase the use of memory safe language in the product, adding layers to the security of the appliance, and considering what features to add for our customers functionality in a secure manner.

This release of Connect Secure 22.8 marks a pivotal moment in our journey to Secure by Design, in that it transforms a legacy product into a forward-thinking solution on a journey. While we can never predict the future, we can influence it by our actions today. That is what Ivanti signed up for when we committed to our customers and the industry that we would be Secure by Design.