Vendor efforts to stem the tide on network edge exploitation
Vendors who responded to questions for this story all said they take secure development lifecycle practices seriously and are making investments in architectural changes, including rewriting legacy code. For example, Palo Alto Networks pointed to its implementation of Security-Enhanced Linux (SELinux) in full enforcement mode and Integrity Measurement Architecture (IMA) in PAN-OS as examples of platform security hardening to mitigate entire classes of threats.
Christopher Ganas, director of the Deep Product Security Research Team at Palo Alto’s network security division, told CSO that his team has tripled in size and has no budgetary constraints or other barriers for evolving the code base of the 20-year-old PAN-OS into a more secure architecture.
He noted that his team was created to investigate the root causes of bugs that tools and manual code reviews find and then to implement architectural changes to make exploitation of those flaws much harder. Often that means simplifying the architecture to make security boundaries — and the interactions between them — much clearer. That way, developers are better equipped to write secure code.
“We have a very long history of responsibly processing, remediating, disclosing vulnerabilities, but ultimately with how the threat landscape evolved over the last few years, there is this absolute need for us to go deeper into our products and ultimately find and address all of these architectural issues,” Ganas said. “We acknowledge the scale of exploitation across all vendors, but from our perspective, we fundamentally need to lead our industry and acknowledge that customers trust us with their security. We are offering them a security platform. We are ultimately protecting their network. We have to put ourselves to the highest standard of product security and operational excellence around these issues.”
Ivanti, whose security products were the target of multiple zero-day exploits by APT groups over the past two years, has also signed the CISA Secure by Design pledge and is making architectural changes and tackling the technical debt that has accumulated over decades.
“The current threat landscape for edge devices is aggressive and sophisticated, and no company has been proven immune,” an Ivanti spokesperson told CSO. “[…] Recognizing meaningful advances don’t happen overnight, we committed to putting in the time and financial investment, including rearchitecting legacy products, embedding security throughout the development lifecycle, and anticipating potential adversary misuse across our planning process. We have not hesitated to touch older code as part of this effort.”
The Cloud Software Group, which owns NetScaler (aka Citrix NetScaler), has also signed the CISA Secure by Design pledge and told CSO that it has embedded secure development methodologies throughout its engineering teams.
“At Cloud Software Group, we take security seriously,” the company said. “We have published our approach to security, including our secure development lifecycle (SDLC) process. Our dedicated Product Security Team, which serves as the cornerstone of this commitment, regularly reviews process improvements and is responsible for a comprehensive set of proactive and reactive security activities throughout the product lifecycle.” These include proactive vulnerability identification, implementation of strong security controls, driving secure development practices and product incident response management.” — LC
For more insights into this topic watch our conversation on the Global Tech Tales podcast with Daniel dos Santos, the head of research at cyber risk management firm Forescout Technologies.
