Over 60 vendors at the RSA Conference 2023 in San Francisco have committed to the Secure by Design pledge initiated by the Cybersecurity and Infrastructure Security Agency (CISA). This pledge emphasizes the development of secure products that prioritize customer security as a fundamental business requirement, rather than just a technical feature. By integrating security into the design phase and throughout the product’s life cycle, companies aim to create more resilient products and enhance cybersecurity measures across the industry.
The focus of the Secure by Design pledge is to shift the responsibility of security from individuals and small businesses to the manufacturers of products. This voluntary commitment primarily targets enterprise software products and services, including cloud services, software-as-a-service, and on-premises software. By embedding security into the core considerations of technology development, companies can proactively address cybersecurity threats and vulnerabilities.
During the RSA Conference, CISA Director Jen Easterly emphasized the urgent need for all stakeholders to prioritize security in both new technologies and existing software. The goal is to ensure that security remains a fundamental consideration in the development and implementation of products, enabling organizations to safeguard their systems against evolving cyber threats and attacks.
Signatories to the Secure by Design pledge are required to adhere to seven core goals and demonstrate progress within a year. These goals include increasing the use of multifactor authentication, reducing the reliance on default passwords, mitigating vulnerabilities, promoting patch installation by customers, establishing vulnerability disclosure policies, enhancing transparency around common vulnerabilities, and improving the ability of customers to detect cybersecurity intrusions affecting manufacturers’ products. Companies have the flexibility to determine how they address these goals and monitor their progress, with no punitive measures for any shortcomings.
CISA initiated the Secure by Design campaign in April of the previous year, urging software manufacturers to prioritize secure design practices and reevaluate their development programs to ensure that only secure products are delivered to customers. Earlier this year, CISA introduced a self-attestation form and repository that software vendors can use to disclose security details about their products, providing federal agencies with valuable insights into the security practices of software vendors and ensuring the procurement of secure products.
Leading technology companies such as Amazon Web Services, BlackBerry, Cisco, CrowdStrike, Fortinet, GitHub, Google, Hewlett Packard, IBM, Ivanti, Lenovo, Microsoft, Netgear, Okta, and Palo Alto Networks have already committed to the Secure by Design pledge. By fostering collaboration between government agencies, private industry, and the broader cybersecurity community, initiatives like Secure by Design aim to collectively strengthen cybersecurity measures and fortify the resilience of digital infrastructure.
In conclusion, the Secure by Design pledge underscores the critical role of secure product development in enhancing cybersecurity and protecting customer data. By advocating for security-first design principles and encouraging transparent and proactive security practices, companies can mitigate risks, combat cyber threats, and foster a more secure digital ecosystem. The collaborative efforts of industry leaders and government agencies in supporting initiatives like Secure by Design highlight a shared commitment to prioritizing cybersecurity and safeguarding against potential threats in an increasingly interconnected world.