Ivanti pledges security overhaul after multiple government breaches https://therecord.media/ivanti-security-overhaul-ceo-jeff-abbott
@therecord_media @GossiTheDog I love how companies will ignore security to pad their profits right up to the point customers tell them to f**k off. And then customers will come back thinking they "learned their lesson”.
Yes, they learned their lesson... customers will quickly forgive security failings, so it is in vendors' best interests to add features and focus on security later/never.
@synfinatic @therecord_media @GossiTheDog I don’t believe many are coming back. At least in my circles most customers switched to GlobalProtect and alike very quickly after the news broke out. I have yet to find anyone who is willing to come back to Ivanty, which frankly wasn’t a lovely product even before the security dumpster fire
@therecord_media Ivanti was vulnerable to a shell command injection and a directory traversal bug straight from the 90s CGI script era. Their "security" appliance bundled ancient versions of software, many of which have known security vulnerabilities (e.g. perl 5.6.1 from 2001). In other words, they've been fucking around for the past 25 years. Let's give them another 25 years to figure out how to overhaul their security; then we can re-evaluate whether they've succeeded with their ambitious plans (as promised by their CEO: hire security experts, design and develop products with security in mind, do threat modeling, update/patch bundled software, etc).