Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Tech Companies Promise 'Secure by Design' Products

Over 60 companies have signed CISA's Secure by Design pledge to consider security from the design phase and throughout the product life cycle.

Source: Digital Pegasus via Shutterstock

RSA CONFERENCE 2023 – San Francisco – More than 60 vendors have signed the Secure by Design pledge — a commitment to develop secure products spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA).

CISA defines "secure by design" products as "those where the security of the customers is a core business requirement, not just a technical feature." Companies that adopt these principles are promising to consider security during the design phase and throughout the product life cycle to create more resilient products.

Instead of putting the onus of security on individuals and small businesses, the goal is to put the responsibility on the manufacturers that are making the products. The voluntary pledge focuses on enterprise software products and services, including cloud services, software-as-a-service, and on-premises software.

"There is a real urgency that everybody in this room not only feels but is highly aware of, and it is all about developing new and retrofitting older technologies and software with security as a core consideration," said CISA Director Jen Easterly at the RSA Conference in San Francisco this week.

Signatories to the pledge are asked to consider seven core goals and demonstrate their progress toward meeting those goals within one year. How they demonstrate progress, and the order they address the goals, is up to the individual companies, and there are no penalties for falling short. The goals are:

  • Increase the use of multifactor authentication across products.

  • Reduce the use of default passwords in products.

  • Reduce the prevalence of entire classes of vulnerabilities.

  • Make efforts to increase the installation of patches by customers.

  • Publish a vulnerability disclosure policy.

  • Be more transparent and timely about common vulnerabilities and exposures (CVEs).

  • Increase the ability of customers to gather evidence of cybersecurity intrusions affecting the manufacturer's products.

CISA launched its Secure by Design effort in April last year, urging "software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers." Earlier this year, CISA released a self-attestation form and repository that software makers can use to provide security details about their products. Federal agencies can look up the information to ensure the software they are buying has been created using secure development practices.

Amazon Web Services, BlackBerry, Cisco, CrowdStrike, Fortinet, GitHub, Google, Hewlett Packard, IBM, Ivanti, Lenovo, Microsoft, Netgear, Okta, and Palo Alto Networks have signed the pledge.

"Government can't do this alone. Private industry can't do this alone," Easterly said. "We have to bring the community together."

About the Author(s)

Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights