Tech Companies Promise Secure by Design Products

Share This Post

RSA CONFERENCE 2023 – San Francisco – More than 60 vendors have signed the secure by design pledge, the commitment to develop secure products spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA).

CISA defines secure by design as “the security of the customers is a core business requirement, not just a technical feature.” Companies that adopt these principles are promising to consider security during the design phase and throughout the product lifecycle to create more resilient products.

Instead of putting the onus of security on individuals and small businesses, the goal is to put the responsibility on manufacturers who are making the products. The voluntary pledge focuses on enterprise software products and services, including cloud services, software-as-a-service, and on-premises software.

“There is a real urgency that everybody in this room not only feels but is highly aware of, and it is all about developing new and retrofitting older technologies and software with security as a core consideration,” said CISA Director Jen Easterly at the RSA Conference in San Francisco this week.

The voluntary pledge focuses on enterprise software and services, which includes cloud services, software-as-a-service, and on-premises software. Signatories to the pledge are asked to consider seven core goals and demonstrate their progress towards meeting those goals within one year. How they demonstrate progress, and the order they address the goals, is up to the individual companies, and there are no penalties for falling short.

  • Increase the use of multifactor authentication across products.

  • Reduce the use of default passwords in products.

  • Reduce the prevalence of entire classes of vulnerabilities.

  • Make efforts to increase the installation of patches by customers.

  • Publish a vulnerability disclosure policy.

  • Be more transparent and timely about common vulnerabilities and exposures (CVEs).

  • Increase the ability of customers to “gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

CISA launched its Secure by Design effort in April last year, urging “software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers.” Earlier this year, CISA released a self-attestation form and repository that software makers can use to provide security details about their products. Federal agencies can look up the information to to ensure the software they are buying has been created using secure development practices.

Amazon Web Services, BlackBerry, Cisco, CrowdStrike, Fortinet, GitHub, Google, Hewlett Packard, IBM, Ivanti, Lenovo, Microsoft, Netgear, Okta, and Palo Alto Networks have signed the pledge.

“Government can’t do this alone, private industry can’t do this alone. We have to bring the community together,” Easterly said.

https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt99e755ba1f21e05b/65c118f67ffa3d040a3e8466/coredesign-digital-pegasus-shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.