Company Updates

‘Secure by Design’ at Versa: One Year of Progress 

Security is a product decision, not an afterthought. As a further commitment to this principle and as a reflection of our pledge to the CISA Secure by Design goals, over the past year Versa has been putting them into practice across our platform, processes, and programs. Organized below around the seven Secure by Design pledge goals is a summary of the related new capabilities and enhancements we’ve delivered, along with a quick explanation of the importance of the changes.  

1) Multi-Factor Authentication (MFA) 

• Tenant-level MFA controls across key consoles (e.g., Concerto, Director, Analytics) so admins can enforce MFA requirements org-wide rather than user-by-user. 
• Admin MFA nudges (“seat-belt chimes”): Contextual banners and interstitial prompts that remind administrators when MFA isn’t enabled and guide them to turn it on. 
• FIDO MFA best practices deployment and validation through an identity provider (IdP).    

Why it matters 

Raising MFA enrollment – especially for admins – cuts off the most common credential-based attack paths and aligns with the pledge’s emphasis on phishing-resistant methods.  

2) Default Passwords 

• Instance-unique, time-limited setup passwords that expire after initial configuration. 
• Forced password change on first use and strong password checks during install. 
• Visibility if defaults persist with banners in Director/Analytics (Concerto previously) alerting if a default credential remains anywhere in the stack. 
• Hardening in 22.1.4 updates (2025) across the VersaOS and management planes to enforce secure initialization consistently. 

Why it matters 

Eliminating universal defaults turns opportunistic “scan-and-exploit” into a dead end, directly addressing a frequent root cause in incidents.  

3) Reducing Entire Classes of Vulnerabilities 

• Shift-left scanning embedded in CI/CD: Static Analysis Security Testing (SAST) is enabled (both static code analysis and static binary analysis) across the board, for web and control-plane services, focusing on OWASP Top 10 classes (e.g., SQL injection, XSS) and other common weaknesses. Findings in all Versa products were remediated as part of this program, and automation has been enhanced to enforce resolution of any issues reported by SAST tools. 
• Language & tooling safeguards: Enhanced security for various languages including C, C++, Java, Python, Golang, Shell Scripts, using multiple security tools along with adoption of secure web templates/framework patterns to cut XSS risk. 
• Vulnerability Management: Enhanced vulnerabilities management using multiple vulnerability scanning tools and providing timely patching, remediation, and advisories on the https://security-portal.versa-networks.com/. 
• Red team cadence: Internal red team (named team leads) proposes periodic targeted testing to validate class-level fixes. 
• Software Bill of Materials (SBOMs) for every monthly build in industry-standard formats – CycloneDX and SPDX, generated alongside vulnerability scans – supporting supply-chain transparency. This is aligned with SLSA (Supply-chain Levels for Software Artifacts) workflows. 

Why it matters 

Preventing entire bug classes scales better than chasing single CVEs. Our pipeline focuses on eliminating injection and scripting flaws up front, with SBOMs and reproducible scanning to prove it.  

4) Security Patches 

• Faster OS-level patching  through kernel and third-party component advisories published on the Versa Security Portal  daily; the operational target is within a day for critical OS updates. 
• Hotfix discipline for app components, driving down time-to-patch from disclosure to release. The operational target is within 1-7 days for critical/high severity vulnerabilities. 
• SaaS posture: For hosted services, we patch the services, so customers inherit fixes with minimal operational friction. 

Why it matters 

CISA’s guidance stresses making patches easier to adopt. Accelerating advisories and applying fixes in managed environments reduces the customer burden and risk.  

5) Vulnerability Disclosure Policy (VDP) 

• Public VDP & web submission form were finalized for publication on the Versa Security Portal, including scope, safe-harbor language, and coordinated disclosure timelines. 
• HackerOne program (private) with ~40 vetted researchers engaged against dedicated, isolated environments to maximize signal while managing risk. 

Why it matters 

Clear rules of engagement and a first-party intake channel accelerate fixes and reward good-faith research, as CISA recommends.  

6) CVEs (Transparency & Timeliness) 

• CWE and CPE are included for every CVE we publish, improving searchability and customer triage. 
• Timely CVE issuance for high/critical findings that require customer action or show signs of exploitation. 
• Disclosure hygiene through guidance and SLAs aligned with coordinated disclosure norms; backlog reduction efforts continue so advisories ship with patches. 

Why it matters 

CVE volume can rise when vendors get serious about finding and fixing issues – that’s a feature, not a bug. Our goal is clarity, completeness, and speed so customers can act.  

7) Evidence of Intrusions (Customer Logging & Retention) 

• Baseline logs are available across our products for configuration changes, identity/auth events, and (as applicable) network flows so customers can reconstruct events. 
• Retention of hosted services, core audit, and access logs for at least 6 months at no additional charge. 
• Dogfooding + SIEM: Our production environments centralize analytics, audit, and infrastructure logs into a SIEM (with EDR on managed services endpoints) to validate the same evidence paths we recommend to customers. 

Why it matters 

You can’t investigate what you can’t see. Providing evidence by default aligns with the pledge and shortens customers’ mean time to detect and respond.  

Beyond the Pledge: Culture, Transparency, and “Shift-Left” 

• The Versa Security Portal is the single place for advisories, VDP, and aggregated metrics (e.g., MFA adoption, supported-version distribution). 
• Secure defaults for developers: Common libraries and patterns (sanitized inputs, parameterized queries, safe serialization) reduce the chance of reintroducing known classes. 
• Continuous hardening: The 22.1.4 updates in 2025 reinforced secure initialization and password policies across management planes, with visible banners when defaults persist. 

What Customers Can Expect Next 

• Phishing-resistant MFA (passkeys) expansion across admin roles and prioritized clients. 
• Deeper class-reduction goals (e.g., more XSS-proof templating, expanded static analysis coverage for Go/Python microservices). 
• Public metrics on adoption (MFA, patch levels) and VDP analytics (time-to-triage, time-to-fix). 
• Security portal updates: VDP publication, researcher intake form, and rolling advisories. 

Our Commitment 

CISA’s Secure by Design goals ask vendors to own customer security outcomes and to show their work. That’s our bar. We’ll keep publishing progress, shipping secure defaults, and investing in the controls that remove entire attack classes – not just individual bugs.