CISA details a plan to create more secure software.
The US Cybersecurity and Infrastructure Security Agency (CISA) has announced a pledge to design products with greater security built in.
Supported by 68 of the world’s leading software vendors, the Secure by Design pledge features seven core goals, and those manufacturers have pledged to work over the next year to demonstrate measurable progress.
Each of the goals has a core criteria which manufacturers are committing to work towards,and those participating can decide how best to meet and demonstrate the core criteria of each goal. The seven goals of the pledge are:
Multi-factor authentication. Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy that authorises testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the policy, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation,” CISA Director Jen Easterly said. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”
Specifically, the pledge includes enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not scoped in the pledge.
Those participating in the pledge are encouraged to publicly document how they have achieved such progress within one year of signing the pledge, or share with CISA how the manufacturer has worked towards the goal and any challenges faced.
Also, in the spirit of “radical transparency”, manufacturers are encouraged to publicly document their approach so that others can learn from their efforts.
CISA said to enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal.
“Demonstrating measurable progress across the manufacturer’s products can take a variety of forms — such as by taking action on all the manufacturer’s products, or by choosing a set of products to first address and publishing a roadmap for other products,” the statement read.
“CISA acknowledges and applauds software manufacturers who already meet or exceed these goals. In such a case where a software manufacturer already meets or exceeds a goal, the manufacturer should publicly describe how they are doing so. In these cases, CISA welcomes additional efforts to go above and beyond the goals in the pledge.”
At the time of announcing the pledge, 68 companies had announced their intention to support the pledge. Among them was Veracode, whose CTO and co-founder Chris Wysopal said: “CISA’s Secure by Design pledge is a strong, pragmatic step forward in its commitment to work with the industry to materially reduce exploitable flaws in products our citizens use.
“Secure by design is an important and game changing cybersecurity standard for the whole network connected world.”
Robert Huber, CISO at Tenable, said: “Security by design is key for safeguarding the broader ecosystem, ensuring that cybersecurity is integrated into the very foundation of technology products. By incorporating security practices from the outset, rather than bolting on later, organisations can save valuable time and resources, while improving their cyber hygiene and protecting their assets.”
Also, Heather Adkins, vice president and cybersecurity resilience officer at Google, said: “Secure by design has been the cornerstone of Google's security work from the very beginning. It's a concept built around the guiding principle of the safety and security of our enterprise customers and end-users. We're thrilled to be joining forces with CISA and our industry peers to further amplify secure by design and make people safer online.”
CISA’s senior technical advisor Jack Cable said.that a more secure by design future is indeed possible, as the goals in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,”
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
