惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

www.infosecurity-magazine.com
www.infosecurity-magazine.com
D
DataBreaches.Net
T
Tailwind CSS Blog
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
F
Full Disclosure
V2EX - 技术
V2EX - 技术
N
News and Events Feed by Topic
Help Net Security
Help Net Security
L
LangChain Blog
Y
Y Combinator Blog
宝玉的分享
宝玉的分享
Google Online Security Blog
Google Online Security Blog
P
Proofpoint News Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
B
Blog RSS Feed
N
Netflix TechBlog - Medium
N
News | PayPal Newsroom
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V
Vulnerabilities – Threatpost
B
Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园_首页
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
AI
AI
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cyberwarzone
Cyberwarzone
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
G
GRAHAM CLULEY
Vercel News
Vercel News
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
博客园 - 司徒正美
C
CERT Recently Published Vulnerability Notes
GbyAI
GbyAI
Scott Helme
Scott Helme
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
A
About on SuperTechFans
P
Privacy International News Feed

Citrix Blogs

Celebrating the Partners powering Citrix forward – Citrix Blogs What’s left for humans? – Citrix Blogs Why this moment feels different – Citrix Blogs Introducing Citrix Platform for Public Sector – Citrix Blogs how our partnership with Google has matured secure access for the browser era – Citrix Blogs When session recording stops scaling – Citrix Blogs A conversation with Cletis Earle – Citrix Blogs Imprivata Ready Certification validates Citrix Unicon: A practical guide for healthcare IT – Citrix Blogs Skills are all you need – Citrix Blogs UHMC customers now have expanded Citrix Secure Private Access entitlement – Citrix Blogs How CIOs turn post‑merger disorder into a synergy engine – Citrix Blogs why your AI strategy is focused on the wrong layer – Citrix Blogs Securing high privileged admin access doesn’t have to be complicated – Citrix Blogs What will knowledge work be in 18 months? Look at what AI is doing to coding right now. – Citrix Blogs Untangling spaghetti – Citrix Blogs Workers’ “second brains” break every assumption about how we secure knowledge work – Citrix Blogs Taming integration chaos (the core of M&A failure) – Citrix Blogs OpenClaw and Moltbook preview the changes needed with corporate AI governance – Citrix Blogs Three years. Five Use Cases. A Leader: Citrix – Citrix Blogs The hard truths about hospital consolidation: An M&A guide for IT leaders – Citrix Blogs Why Citrix is the most complete EUC platform – Citrix Blogs Sign in once, get more done: Why continuous identity is a strategic advantage – Citrix Blogs Everyone’s worried about the wrong AI security risk – Citrix Blogs Security by design, proven by action with Citrix NetScaler – Citrix Blogs The invisible 80%—what corporate-led AI transformations can’t see – Citrix Blogs Workers don’t want to build automations. They want to delegate. – Citrix Blogs speed vs. security – Citrix Blogs AI will be THE interface to knowledge work. Here’s how we’ll get there. – Citrix Blogs Why I joined Citrix — and what it means for healthcare leaders – Citrix Blogs How the most successful CIOs are building successful merger and acquisition approaches – Citrix Blogs IT admits workers control AI. Workers admit they use it to leave at 5. – Citrix Blogs One identity. Every app. Now inside Citrix sessions. – Citrix Blogs Built-in AI intelligence that keeps IT focused – Citrix Blogs Everyone wants to provide your AI. Nobody wants to help you manage it. – Citrix Blogs Certificate lifetimes are shrinking—your business continuity doesn’t have to: Automating SSL/TLS at scale with NetScaler – Citrix Blogs Advancing Zero Trust at the browser – Citrix Blogs Citrix is headed to Microsoft Ignite 2025 as a Partner of the Year Finalist, top sponsor, and more! – Citrix Blogs Three trends reshaping how work happens – Citrix Blogs Our vision for secure access in a browser-first world – Citrix Blogs Will AI need to operate your legacy desktop apps or is direct file manipulation enough? – Citrix Blogs an executive blueprint for streamlined app delivery – Citrix Blogs AI just created 10,000 accidental citizen developers in your company. Welcome to the post-application era! – Citrix Blogs Why healthcare IT leaders are embracing Unicon + Imprivata – Citrix Blogs Windows 10 & IGEL OS 11 end-of-life: How Unicon OS turns deadlines into competitive advantage – Citrix Blogs The bitter lesson of workplace AI: Stop engineering, start enabling – Citrix Blogs If AI is normal technology, boring infrastructure is your best strategy – Citrix Blogs Innovation, efficiency, and the future of licensing – Citrix Blogs Worker-led AI isn’t shadow IT. It’s shadow strategy. – Citrix Blogs Everyone’s wrong about why enterprise AI is failing – Citrix Blogs Citrix Virtual Apps and Desktops 2507 Long Term Service Release is now available: Get current, stay ahead – Citrix Blogs If AI progress stopped today, we can still transform the enterprise with what we have – Citrix Blogs AI agents are the new insider threat. Secure them like human workers. – Citrix Blogs How NetScaler helps prevent a silent data breach decades in the making – Citrix Blogs What happens when AI agents score 100% in computing using benchmarks? – Citrix Blogs Citrix DaaS for Amazon WorkSpaces Core Managed Instances – Citrix Blogs Why AI agents will use the same desktops and apps as human workers – Citrix Blogs Modern applications need modern networking — Here’s what that means for your business – Citrix Blogs Powering your present, readying your future, and now available for all workloads – Citrix Blogs To understand AI’s future impact, check out this playbook from 150 years ago – Citrix Blogs The 7-stage roadmap for human-AI collaboration in the workplace (2025 edition) – Citrix Blogs Secure your business with Citrix and Google Chrome Enterprise Premium – Citrix Blogs AI agents need a secure place to work. The Citrix workspace is ready. – Citrix Blogs What’s New and Next with Citrix: Q&A from our May 2025 webinar – Citrix Blogs What if your CEO never sends the AI-first memo? – Citrix Blogs Your CEO just sent a company-wide “AI-First” memo. Now what? – Citrix Blogs Citrix and Nutanix team up to simplify virtual desktop management – Citrix Blogs eLux + Imprivata coming soon for healthcare and beyond – Citrix Blogs Rising costs. Aging hardware. One smart solution. – Citrix Blogs The desktop has dissolved. Now where does work live in 2025? – Citrix Blogs Citrix Virtual Apps and Desktops 2503 is now generally available – Citrix Blogs What does “AI” mean at Citrix? – Citrix Blogs Making sense of AI in the workplace: A starting point for leaders – Citrix Blogs Control the endpoint, control the experience – Citrix Blogs Why I joined Citrix and what I’m excited about – Citrix Blogs Citrix and NVIDIA partner to deliver AI Virtual Workstations – Citrix Blogs Welcoming Google Chrome Enterprise Premium into the Citrix platform – Citrix Blogs Apple M4 chip delivers another significant performance boost to Citrix VDA for macOS! – Citrix Blogs Updated STIG guidance for highly secure environments – Citrix Blogs It’s time to upgrade your hypervisor to XenServer 8! – Citrix Blogs Furthering our investment in the Citrix platform with the strategic acquisition of Unicon – Citrix Blogs Faster logins, more productivity – Citrix Blogs New optimization for Microsoft Teams in Citrix environments – Citrix Blogs Password spraying attacks on NetScaler/NetScaler Gateway – December 2024 – Citrix Blogs Citrix Secure Private Access delivers ZTNA in hybrid mode – Citrix Blogs Citrix strengthens zero trust security posture with strategic acquisitions of deviceTRUST and Strong Network – Citrix Blogs Ease your virtual machine device management with MCS & Intune – Citrix Blogs Free uberAgent training is now available on Pluralsight – Citrix Blogs Improved security, admin interfaces, and user experiences across the Citrix solution portfolio – Citrix Blogs Citrix ranked highest for all 4 Use Cases in the Gartner® Critical Capabilities for Desktop as a Service Report – Citrix Blogs Join us at Microsoft Ignite – Citrix innovations for the modern workplace – Citrix Blogs Improve user experiences and reliability with new expanded uberAgent entitlements – Citrix Blogs Citrix Secure Private Access now supports multi-session VDI – Citrix Blogs The new Citrix platform experience – Citrix Blogs Citrix Secure Private Access for ZTNA now supports Linux – Citrix Blogs Citrix Workspace app – いつの間に?Citrixへの入口がこんなに進化しました – Citrix Blogs Launch right into your Citrix environment with Desktop Lock – Citrix Blogs Making Policy Management Smarter and Simpler with Citrix Policy Sets – Citrix Blogs Image and Power Management Support for Azure Sovereign Air-gap – Citrix Blogs Think you have what it takes to be a CTP or CTA? Apply today! – Citrix Blogs How Citrix supports financial contact centers 24/7 – Citrix Blogs
Citrix’s approach to Secure by Design – Citrix Blogs
Mohan Sekar · 2025-04-02 · via Citrix Blogs

August 15, 2025 update

At Cloud Software Group, we take security seriously. As part of our ongoing commitment to our customers, we publish security alerts concerning potential product vulnerabilities, known as Common Vulnerabilities and Exposures (CVE). On June 17, 2025, we published a bulletin on our NetScaler support page regarding CVE-2025-5349 and CVE-2025-5249. That bulletin included guidance to customers concerning patches to be implemented and steps to take in order to effectively and securely patch impacted NetScaler products. We have recorded and reviewed all incident reports from our customers concerning these CVEs. Citrix additionally has proactively worked closely with various government organizations in the Netherlands to identify potential exploitations of these CVEs and to assist customers, while addressing any patches and updates required. 

To keep our customers informed and up to date, we make our approach to security, including our secure development lifecycle (SDLC) process, publicly available. Our dedicated Product Security Team, which serves as the cornerstone of this commitment, regularly reviews process improvements and is responsible for a comprehensive set of proactive and reactive security activities throughout the product lifecycle, including the following:

  • Proactive Vulnerability Identification: Continuously researching and identifying potential security vulnerabilities across our product portfolio, employing advanced threat intelligence and security assessment methodologies.
  • Implementation of Strong Security Controls: Designing, implementing, and enforcing robust security controls and countermeasures to protect our products and the data they handle from known and emerging threats. 
  • Driving Secure Development Practices: Championing and embedding secure-by-design principles, along with secure development methodologies and best practices throughout our engineering teams. This involves providing training, tools, and guidelines to ensure that security is an inherent part of every developer’s workflow.
  • Product Security Incident Response Management: Establishing and managing a comprehensive incident response framework to swiftly and effectively address any security incidents. 

Our unwavering mission is to ensure that our products remain secure, trusted, and resilient. This commitment is underscored by Cloud Software Group’s recent Secure by Design pledge to CISA, and our collaboration with ENISA, and CERT EU (Computer Emergency Response Team for the European Union) and other vendors through a group sponsored by JCDC for collaboration among edge device members of the industry. 

We meticulously embed security into every facet of our development process, thereby proactively mitigating risks in the product. This holistic approach safeguards our products, protects our customers’ data, and maintains the integrity of our services.


Citrix has established itself as a leader in enabling secure, hybrid work environments through its industry-leading virtualization, secure private access, and application delivery products. For decades, we’ve empowered organizations to achieve operational flexibility while maintaining robust security standards. Our recent commitment to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge not only reinforces our long-standing mission on security but also provides an opportunity to demonstrate our commitment to embedding security as a foundational element of our product lifecycle.

By aligning with this initiative alongside over 200 of our industry peers, Citrix pledges to deliver measurable security enhancements, further strengthening the trust that customers have in our products. In this post, we’ll share how we are delivering on the pledge’s goals and outline our comprehensive strategy for achieving Secure by Design, tailored specifically to the unique challenges and opportunities presented by virtual desktops, application delivery, and endpoint management.

The Secure By Design Pledge logo

All seven Secure by Design goals are important security elements for enhancing the overall product security posture and practices for enterprises. For Citrix, this commitment builds upon our established practices and aligns seamlessly with our vision of delivering secure, scalable, and user-centric enterprise products. The pledge encompasses actionable commitments, including eliminating default passwords, implementing multi-factor authentication (MFA) by default, reducing vulnerability classes, enhancing security patches, and fostering a culture of accountability. This resonates deeply given the technical and operational intricacies of our products, which serve as the backbone for hybrid workforces worldwide.

In the context of virtual desktops, Citrix prioritized hardening its Virtual Apps and Desktops platform to preemptively address emerging threats. This includes embedding security controls that mitigate risks inherent to remote access, such as unauthorized session access or data leakage, while ensuring seamless usability for end users. For application delivery, we are enhancing our Citrix Gateway and Secure Private Access solutions to enforce least-privilege access and integrate advanced threat detection capabilities with an emphasis on reducing exploitable attack surfaces.

Our strategy for fulfilling the Secure by Design Pledge is both deliberate and forward-looking. By addressing the specific demands of virtualized environments and hybrid work models securely, Citrix is not only meeting CISA’s call to action but also setting a benchmark for security excellence in the industry.

Authentication

In hybrid work environments, where users connect to applications and desktops from a wide array of endpoints, credential-based attacks such as phishing remain a significant and ongoing risk. To align with the Secure by Design Pledge, particularly its goal of enabling MFA by default, Citrix is advancing MFA adoption across key platforms, including Citrix Virtual Apps and Desktops. Our approach focuses on simplifying MFA enforcement for both administrative consoles and end-user sessions, with a strategic intent to establish MFA as the default authentication wherever feasible. Additionally, Citrix is prioritizing phishing-resistant MFA options, such as FIDO2 passkeys, to further bolster security while maintaining a frictionless user experience. We are achieving this by integrating seamlessly with standards-based identity providers (IdPs) through protocols such as SAML 2.0 and OpenID Connect. These enhancements directly support the Secure by Design objective of reducing the authentication-related risks by ensuring that robust, multi-layered authentication is a fundamental component of our product ecosystem.

Equally critical to the Secure by Design framework is the elimination of default passwords, which represent a persistent vulnerability in technology deployments. 

During the onboarding process, we are enforcing the password change, ensuring that each deployment begins with a secure foundation. Our workflows will prompt administrators to reconfigure credentials immediately upon installation, embedding security into the earliest stages of product use. These measures align with the goal of eradicating default passwords, reducing attack surfaces, and fostering a security-first mindset across our customer base.

Class of vulnerability elimination

Virtualization and networking solutions, such as those provided by Citrix, are inherently exposed to systemic risks, including privilege escalation (CWE-269) and memory corruption (CWE-119). In alignment with the Secure by Design Pledge, specifically its goal of eliminating entire classes of vulnerabilities, Citrix is embedding robust security practices into our development lifecycle to proactively address these threats. Within our secure development lifecycle (SDLC), we are leveraging advanced commercial off-the-shelf tools and custom-developed scripts to detect and remediate these classes of vulnerabilities. To tackle memory corruption issues such as buffer overflows, Citrix is adopting memory-safe programming paradigms, implementing compile-time protections, and reinforcing these with runtime safeguards where possible. These efforts collectively aim to eradicate broad categories of vulnerabilities at their root, reducing the attack surface across our product portfolio. Citrix employs comprehensive and well-established practices within its SDLC to ensure the integrity of its binaries. By utilizing a combination of diverse static and dynamic testing techniques, Citrix creates a solid baseline for its software components. This rigorous approach specifically targets the elimination of various classes of vulnerabilities including privilege escalation, a critical class of security flaws that could otherwise allow unauthorized users to gain elevated access and control within a system.

When a significant vulnerability is discovered within a Citrix product component, its supporting infrastructure, or associated services, our product security team initiates a rigorous response aligned with the goal of systemic prevention. This process begins with a thorough root cause analysis to identify the underlying factors contributing to the issue. Based on these findings, we define and prioritize preventative measures designed to minimize or eliminate the potential for similar vulnerabilities in the future. Citrix’s Product Security team collaborates closely with our engineering groups to integrate these security enhancements into our development and deployment pipelines. To ensure sustained progress and accountability, these efforts are subject to regular oversight and strong governance, with security and product leadership conducting reviews at regular cadence. This cadence allows us to monitor the effectiveness of our initiatives, identify recurring patterns, and refine our strategies accordingly. By systematically addressing entire classes of vulnerabilities, Citrix is not only fulfilling the Secure by Design commitment but also reinforcing the resilience of our virtualization and networking solutions for our customers.

Vulnerability disclosure policy (VDP)

Several core elements of the Secure By Design Pledge align seamlessly with the established best practices at Citrix. A clear example of this alignment is evident on our Citrix Product Security Vulnerability Response page, which serves as a resource for customers and security researchers. This outlines our Product Security Response Process in detail, offering step-by-step descriptions of each phase. It also highlights Citrix’s alignment to ISO/IEC 29147:2018, an international standard that provides guidelines, requirements, and recommendations for responsibly disclosing vulnerabilities in products and services.

Moreover, the Vulnerability Response resource offers practical information and guidance on vulnerability disclosure, a key objective of the Secure By Design Pledge. It ensures transparency by providing the industry with a straightforward way to contact our Product Security Incident Response Team (PSIRT) at secure@cloud.com for inquiries, questions, or to report product vulnerabilities. This process underpins our Product Security Incident Response intake system and complements our ongoing bug bounty program, reinforcing our dedication to transparency and our focus on delivering and maintaining secure products for our customers.

One area of improvement we are actively pursuing is the publication of a machine-readable description of our vulnerability disclosure process, as recommended by the pledge. This enhancement will make it easier for security researchers to find and understand our disclosure procedures, reducing the effort required and fostering greater engagement and collaboration between the security community and our product security teams. We are currently implementing this update, with completion expected shortly as the blog is being published.

The Secure by Design Pledge also encourages increased interaction between organizations and the public through channels like blog posts or other forms of active engagement. Such communication benefits both parties by establishing open dialogue, a critical foundation for effective vulnerability management. 

CVE reporting 

Citrix maintains a consistent practice of including Common Weakness Enumeration (CWE) fields in every CVE release for its products, a long-standing best practice across our product lines. Clear and accurate CVE reporting supports customers in managing our products securely and effectively. As a CVE Numbering Authority (CNA), the Citrix Product Security team is enhancing its processes to ensure CVE records for all Citrix products feature precise CWE and CPE fields such as linking a buffer overflow to CWE-120 and specifying affected versions with CPE identifiers. This information provides customers with a concise summary and classification of each vulnerability, facilitating better risk management.

Beyond its internal processes, the Citrix Product Security team is actively fostering partnerships with industry peers and security organizations to bolster collective resilience against cyber threats. Through data sharing and response strategies, the group contributes to a broader ecosystem of threat intelligence, benefiting not just its customers but the wider tech community. This collaborative approach complements its role as a CNA, enabling faster identification and mitigation of risks across diverse platforms. 

As product security at Citrix continues to advance and adapt to emerging and ongoing threats, we remain committed to aligning with globally recognized standards and promoting efforts to enhance security best practices universally. The Secure By Design Pledge represents a solid foundation, and Citrix enthusiastically embraces this and future opportunities for continuous improvement.

Evidence of intrusions

Enhancing customer ability to gather evidence of intrusions is critical for enterprise cyber resilience, and Citrix has been empowering customers on this for years. Our products including Citrix Virtual Desktop and Applications and NetScaler (Application Delivery Controller, Gateway, and Web Application Firewall) generate detailed logs required to support the effective intrusion detection and incident management. These logs include a wide range of application logs, syslog, audit logs, Management logs, AppFlow and IPFIX exports, network logs which can be collected and forwarded to SIEM platforms like Splunk, ELK, or Microsoft Sentinel for centralized management and analysis. ADC Console Analytics enhances visibility by aggregating security events, detecting anomalies, and providing real-time insights into traffic patterns and authentication logs. It also provides various insights specifically Web Insight, HDX Insight, Gateway Insight, Security Insight, SSL Insight

Citrix provides Web Application Firewall protection for Gateway virtual servers, traffic management virtual servers, and authentication virtual servers, securing them from malicious attacks by validating incoming requests using an API scheme. Citrix ensures these insights fit into broader security workflows, enhancing overall resilience. For example, our WAF logs can reveal attack patterns, helping teams fine tune defenses against evolving threats like SQL injection, buffer overflow attacks, command injection, cross-site scripting and zero-day exploits. Additionally, nFactor authentication logs, VPN session tracking, and HTTP transaction logs help identify unauthorized access attempts and behavioral anomalies. 

This empowers our customers to identify breaches quickly, understand their scope, and respond effectively, reducing the impact of cyberthreats.

Citrix: Strengthening the foundation of a secure hybrid future

Citrix’s comprehensive portfolio distinctively empowers us to align with—and achieve—the ambitious goals outlined in the pledge. Our recent acquisitions and integrations of those products, like deviceTRUST to ensure real-time endpoint compliance and Strong Network’s fortified development environments, exemplify our unwavering commitment to significantly reducing potential attack surfaces across diverse digital ecosystems. We maintain FedRAMP Moderate accreditation for Citrix Cloud Government and our Application Delivery Controller is certified to comply with a range of Defense, Federal, and enterprise security standards, including Federal Information Processing Standards (FIPS), Common Criteria (CC), and the Department of Defense Information Network Approved Products List (DoDIN APL). These certifications reflect Citrix’s commitment to providing secure and interoperable products to organizations in the defense, federal, state, and enterprise sectors. We are diligently applying these forward-thinking principles and cutting-edge methodologies to provide robust security within our products, ensuring that sensitive data remains secured in an increasingly complex and interconnected hybrid landscape.

Citrix product security: Looking ahead

The Secure by Design Pledge serves as a catalyst for Citrix, motivating our Product Security team to strengthen and elevate the security of our hybrid work solutions. By embedding these critical security goals into our technical roadmap, we’re taking a forward-thinking approach – anticipating and neutralizing potential threats before they can emerge, rather than responding after the fact. This commitment enables us to deliver secure platforms that our customers can rely on with confidence. As we move forward, we actively encourage and value technical feedback from our user community, fostering collaboration to refine our efforts. This ensures that security isn’t an afterthought but a core, intrinsic security element baked into every aspect of Citrix deployment, from design to implementation.

Explore more at Citrix Tech Zone and NetScaler Secure Deployment Guide or join the conversation on virtual desktops best practices.


Citrix maintains a Trust Center for its customers that provide self-service access to policies, procedures, security notifications, and third-party assessment reports (such as security program audits, penetration tests, and related artifacts). Citrix additionally runs an external bug bounty program that allows researchers to disclose vulnerabilities responsibly, encouraging external security reports. Finally, Citrix provides customers with details on patched vulnerabilities as a regular part of its release notes.