Understanding CVEs and Responsible Disclosure
The webinar opens with a foundational explanation of Common Vulnerabilities and Exposures (CVEs) and why their disclosure actually represents responsible security practice rather than cause for alarm. Mike Riemer distinguishes between internally discovered CVEs—found through static and dynamic code analysis—and zero-day vulnerabilities that emerge from active threat actor exploitation. The key insight is that transparent CVE disclosure serves dual purposes: it enables defenders to understand and monitor for specific weaknesses while allowing other software vendors to check their own codebases for similar issues, particularly important given the widespread use of open-source components across the industry.
Secure by Design Principles in Practice
Karl Triebes outlines Ivanti's proactive security approach, emphasizing that security cannot simply be tested into products at the end of development. The secure by design methodology encompasses selecting memory-safe programming languages like Python, Rust, and Go for new products, conducting regular penetration testing, implementing code inspection during development rather than just at completion, and carefully evaluating third-party components including open-source libraries. The discussion highlights how seemingly moderate CVSS scores can become serious attack vectors when combined with other vulnerabilities—what Triebes calls 'low and slow attacks' that represent some of the most pernicious threats organizations face.
The Evolving Threat Landscape and Organizational Response
The conversation turns to how dramatically the threat landscape has changed, with Riemer noting the shift from perhaps one attack per year decades ago to a dozen or more daily attempts now. Modern threat actors operate as organized 'cyber gangs' with specialized roles—one group exploits initial access, another conducts internal reconnaissance, and a third executes the actual data theft or ransomware deployment. The 'living off the land' technique, where attackers quietly capture legitimate user credentials and return later masquerading as valid employees, represents a particularly challenging threat that requires least-privilege access controls and continuous monitoring to counter.
Practical Guidance for Security Posture
Both speakers emphasize actionable steps organizations should take, including treating security teams as business partners rather than obstacles, implementing exposure management tools to identify and prioritize risks, and establishing robust CVE management processes that quickly triage incoming vulnerabilities for actual impact rather than relying solely on CVSS scores. The discussion addresses the tension between government agencies requiring 30 to 180 days of testing before deploying patches and the need for rapid response to zero-day threats. Organizations are advised to scrutinize their vendors' security practices, demand transparency around CVE disclosure, and recognize that vendors who aren't publishing CVEs likely lack robust security programs altogether.
