68 software manufacturers commit to CISA’s Secure by Design pledge for enhanced product security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that 68 software manufacturers have voluntarily committed to its Secure by Design pledge. The initiative aims to enhance product security by incorporating security measures during the design phase. By participating in the pledge, these manufacturers are dedicated to working towards the outlined goals. The Secure by Design pledge represents a significant advancement in CISA’s initiative to promote secure product design.
The seven goals of the pledge are multi-factor authentication (MFA); default passwords; reducing entire classes of vulnerability; security patches; vulnerability disclosure policy; CVEs; and evidence of intrusions. Each goal has core criteria that manufacturers are committing to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress.
Participating software manufacturers are pledging to work over the next year to demonstrate measurable progress towards seven concrete goals. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal, but progress should be demonstrated in public.
Launched last year, the CISA’s global Secure by Design initiative implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products.
“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design,” Jen Easterly, CISA director, said in a media statement. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”
“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” Jack Cable, CISA senior technical advisor, said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”
The Secure by Design pledge has been signed by 68 companies, including vendors such as Amazon Web Services, Cisco, Google, IBM, Microsoft, Palo Alto Networks, and Trend Micro. Other signatories include cybersecurity firms like Claroty, CrowdStrike, Cybeats, Finite State, Forescout, Fortinet, Rapid7, SentinelOne, Sophos, Tenable, Trend Micro, and Zscaler, among others. This collective commitment aims to enhance product security and promote a culture of secure design practices across the industry.
The Secure by Design pledge requires signatories to show tangible progress within one year of signing. This includes increasing the use of multi-factor authentication (MFA), reducing default passwords, and addressing vulnerability classes in their products. The pledge emphasizes measurable actions to enhance product security and reduce common security risks within the specified timeframe.
The pledge also aims to demonstrate actions within one year of signing, such as increasing security patch installations by customers, establishing a vulnerability disclosure policy (VDP) allowing public testing, providing clear channels for reporting vulnerabilities, and enabling public disclosure in line with best practices.
Additionally, transparency in vulnerability reporting includes accurate CWE and CPE fields in every CVE record, timely issuance of CVEs for critical vulnerabilities, and enhancing customers’ ability to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Earlier this week, the Department of Homeland Security (DHS) and the CISA announced changes to the Cyber Safety Review Board (CSRB) membership. Jamil Jaffer, venture partner at Paladin Capital Group and founder and executive director, National Security Institute, George Mason University Scalia Law School; David Luber, director, cybersecurity directorate at National Security Agency (NSA); Katie Nickels, senior director of intelligence operations at Red Canary; and Chris Krebs, chief intelligence and public policy officer at Sentinel One will be joining the CSRB.
Related
