Next generation technology and secure development
68 technology companies join U.S. Cyber Agency's pledge to build security into their products
Chris Liotta (@Chris Liotta) •
May 9, 2024
The leading U.S. cyber defense agency has joined 68 software companies in a new pledge aimed at building stronger security measures directly into product design, in a broader effort to shift security responsibility from users to developers. Ta.
Related item: How Elastic is changing the SIEM game with AI solutions
The Cybersecurity and Infrastructure Security Agency announced its “Secure By Design” pledge on Wednesday. It includes seven goals for manufacturers to address and demonstrate measurable progress, including increasing the use of multi-factor authentication, reducing default passwords and overall vulnerability classes, and increasing security patches across manufacturers' products. Contains a detailed approach for The pledgers pledged to do so within the next 12 months.
“More secure software is our best hope for protecting against the never-ending scourge of cyberattacks facing our nation,” CISA Director Jen Easterly said in a statement accompanying the announcement. “We commend the leadership of the companies that have already signed our pledge, and we call on all software makers to take up the pledge and join us in building a world where technology is safe and secure now.”
The pledge also requires manufacturers to publish vulnerability disclosure policies that allow the public to test their products and transparently disclose vulnerabilities. Organizations that sign on to the initiative agree to “demonstrate a significant increase in a customer's ability to collect evidence of cybersecurity intrusions affecting a manufacturer's products.”
The initial 68 members of the Secure By Design pledge include Amazon Web Services, Cisco, Cloudflare, Microsoft, Hewlett Packard Enterprise, and IBM. According to CISA, the pledge is based on existing software security best practices developed by the National Institute of Standards and Technology, as well as industry and international standards.
“The items in this pledge directly address some of the most pervasive cybersecurity threats that CISA sees today,” CISA Senior Technical Advisor Jack Cable said in a statement. “All software manufacturers should recognize that they have a responsibility to protect their customers.”
CISA, FBI, NSA, and international partners will announce a framework in 2023 to help manufacturers further embed security into their design processes, require risk assessments to identify key cyber threats to critical systems, and improve product quality. We called for protections to be built into the blueprint (see below). CISA and others publish guide for secure software production).
The agency wrote that secure-by-design principles “not only strengthen customers' security posture and developers' brand reputation, but also reduce maintenance and patching costs for manufacturers in the long run.” .