Inside the ‘Secure By Design’ Revolution
The concept of Secure by Design has been around for years. The Cybersecurity and Infrastructure Security Agency (CISA) launched its Secure by Design initiative in April 2023, and the agency continues to champion progress in this area.
As a part of its ongoing efforts, CISA announced the Secure by Design Pledge at the 2024 RSA Conference in May. More than 100 software manufacturers have heard the rallying call and signed the pledge thus far.
“There’s a real desire among the pledge signers to be those early adopters and first movers, as part of what we’re calling the Secure by Design revolution,” Lauren Zabierek, senior advisor, cybersecurity division at CISA, tells InformationWeek.
What does making the pledge mean for these companies, and how could it drive improvements in cybersecurity? Leaders with six companies weighed in on their commitment to the pledge.
The Pledge
The Secure by Design Pledge is a voluntary initiative that invites companies developing enterprise software, including on-premises, cloud, and SaaS products, to demonstrate progress toward seven goals. The goals include:
-
Increasing the use of multi-factor authentication (MFA)
-
Reducing the use of default passwords
-
Reducing entire classes of vulnerability
-
Increasing the use of security patches by customers
-
Publishing a vulnerability disclosure policy
-
Demonstrating transparent vulnerability reporting
-
Demonstrating an increase in customers’ ability to gather evidence of intrusions
“These, we think, are the top concrete actions that we can do right now, which is really informed by the current threat landscape,” says Zabierek. CISA did not select these goals on its own. Rather, the agency collaborated with industry stakeholders to structure the pledge.
While not legally binding, the pledge encourages those that sign up to show demonstrable progress in each of the seven goals within a year.
“One thing that we like, and I think a lot of industry likes, is it allows for flexibility in showing how you meet those goals,” Charley Snyder, head of security policy at Google, tells InformationWeek.
If pledge signers are unable to show progress within a year, CISA encourages them to communicate what steps they did take and share what challenges they faced. The agency plans to offer its support throughout the year.
“We are going to be working very closely with the pledge signers to help make progress on these pledge goals,” Zabierek explains. “We worked collaboratively with industry to develop the actions, and we’re going to maintain that collaboration.”
Industry Response to Secure by Design Pledge
The pledge has more than 100 companies on board today, and that number is growing. Many companies have been applying Secure by Design principles to their products for years, making the pledge a logical way to publicly demonstrate support.
“We’ve been following Secure by Design, Secure by Default principals from early days in our cloud,” Mark Ryland, director of Amazon Security at Amazon Web Services (AWS). “So, it was not a difficult decision to join in with them and really encourage the whole industry to get behind some of these ideas.”
Pledge signers voiced similar sentiments in published statements of support for the pledge.
Many leaders expressed their commitment to ongoing collaboration between the public and private sectors, including Marjorie Dickman, chief government affairs and public policy officer at cybersecurity company BlackBerry.
“Our decision also was influenced by our strong commitment to public-private partnerships and a shared vision of cybersecurity best practices to secure the digital ecosystem,” she tells InformationWeek via email.
From Words to Action
While support for the pledge is an encouraging sign, the enterprises on board will have to make good on their promises over the next year. Where do companies stand on the pledge goals today, and how will they be demonstrating progress?
Some companies will be farther along in the process compared to others that are just beginning to wrap their arms around cybersecurity.
Developer platform GitHub, for example, has several initiatives that align with the pledge goals, including a bug bounty program, free security tooling for open-source developers, and two-factor authentication requirements, according to Jacob DePriest, deputy CSO and VP. GitHub also works as a CVE Numbering Authority (CNA).
Amazon has been following many of the practices outlined in the pledge from the early days of the cloud, according to Ryland. The tech giant is also planning to drive progress in areas like MFA. “We will increase the … range of accounts that will be requiring MFA as we go forward over the next year or more,” he says.
Amazon is also focused on increasing the use of memory-safe languages and increasing the use of formal verification tools to improve software quality, according to Ryland.
Google was driven to reimagine and redesign its cybersecurity program following the Operation Aurora cyberattack in 2009. “In many ways, the [pledge] reflects practices that Google has been performing for years,” says Snyder.
But Google will still be looking for ways to communicate progress on the pledge goals. “We are organizing internally to … make an inventory of … what are all the initiatives that are in flight?” says Snyder. “[We are] making sure that we … organize them in a way that meets the government where they are and can show tangibly that industry is carrying out these commitments.”
Tidelift, a company that partners with open-source maintainers, is not only applying the principles outlined in the pledge to its own software, but it also published an update on the ways it is working to help open-source maintainers achieve the pledge goals.
The company is requiring the open-source maintainers it works with to enable multi-factor authentication on all parts of their software supply chain and to have a vulnerability disclosure policy in place. It is also working with open-source partners to eliminate entire classes of vulnerabilities.
CISA Director Jen Easterly discussed secure-by-design principles at the RSA Conference 2024. Photo by Joao-Pierre S. Ruth
“We worked with a prominent project in the Java language ecosystem, jackson-databind, to basically rearchitect part of their library to reduce an entire class of remote code execution vulnerabilities that could have been potentially used as an attack on that library,” says Donald Fischer, cofounder and CEO of Tidelift.
Some goals may be easier than others for industry to tackle. As the software supply chain grows in complexity, enterprise leaders have to consider how Secure by Design principles apply to more than just their own core products.
Asset intelligence cybersecurity company Armis is among those that took the pledge. Nadir Izrael, the company’s cofounder and CTO, shares that his team is considering how to best work through the pledge’s goals as it acquires smaller companies earlier on in their cybersecurity journeys.
“The biggest challenge for us is not so much adhering to all of this with our core product line and the things that we’ve been building, but really incorporating [it] into the mix [of] acquisitions,” he says. “We’re not fully consuming or incorporating acquired companies into the main line environment and product until we reach a certain level of maturity.”
The connected nature of the software supply chain also means that the success of Secure by Design principles relies on collective action.
“The challenge (and the opportunity!) for most companies is that we can’t do this alone,” DePriest tells InformationWeek via email. “Progress here will require every company to take meaningful, transparent action in these key areas, as well as the broader industry to level-up the maturity, ease-of-use, and automation around things like CVEs, vulnerability management, and risk at scale.”
Just the Beginning
Over the next year, it will remain to be seen how companies embrace transparency and report the details of their progress on the pledge.
As time goes on, CISA and other industry stakeholders could raise the bar. “I hope that the scope of this expands over time. Certainly, there are other elements of the Secure by Design conversation that have been written about by CISA and its partners,” says Fischer. “So, hopefully the bar gets higher.”
Scott Algeier, executive director at the nonprofit Information Technology-Information Sharing and Analysis Center (IT-ISAC) hopes to see more focus on Secure by Default in the future: making software secure out-of-the box. “When you deliver software, there are people who are behind it who will make their own decisions. What we want to do is make the security the easiest decision,” he explains.
Zabierek hopes that CISA’s continued efforts, like this pledge, will help move the needle on cybersecurity. “We really hope that over the next two years we won’t have to be asking companies to do things like eliminate default, hard coded passwords or enable multi-factor authentication by default,” she says. “We really view this as the catalyst for ongoing, systemic positive change.”