There are many significant challenges in cybersecurity -- perhaps none bigger than improving software security through more secure design and development. To that end, the Cybersecurity and Infrastructure and Security Agency (CISA) launched its Secure by Design initiative to ultimately improve software security at the source: the software maker. The initiatives aim to shift the responsibility for cybersecurity from customers, as it stands currently, to software makers.
The Secure by Design initiative stands upon three essential principles for software makers: ownership of customer security outcomes, embracing security-related transparency and accountability, and leading from the top. The goal is for software makers to improve the inherent security of their products by following a few best practices.
As part of the initiative, CISA also crafted its voluntary Secure by Design pledge that software manufacturers can sign. As of May 2024, 68 leading technology companies already signed the pledge. The commitment within the pledge is to work to reach seven distinct goals with their software within a year:
- Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer's products.
- Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers' products.
- Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer's products.
- Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer.
- CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer's products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high-impact vulnerabilities (whether discovered internally or by a third party) that require a customer's actions to patch or have evidence of active exploitation.
- Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer's products.
The seven goals, if reached by more software makers, couldn't help but improve the current state of software quality. According to a recent survey conducted by security software and services provider Sophos, poor credentials and vulnerabilities are among the most common weaknesses attackers exploit to gain entry.
For its part, Sophos has signed the CISA Secure by Design pledge and promised to make regular public updates that detail the security software maker's progress in reaching the seven goals.
"This is not a one-and-done initiative that CISA has created – it's a much-needed way of thinking about frameworks that should be built into the design and architecture of security solutions. We welcome constructive feedback on how we are addressing the seven pillars," Ross Mckerchar, CISO at Sophos, wrote in a blog post.
Sophos has cited many steps it plans to make to fulfill its Secure by Design pledge. For instance, the company already requires multi-factor authentication to access its security console, Sophos Central.
As part of its pledge, Sophos is committed to releasing passkey support in Sophos Central and publishing adoption statistics of its new, stronger multi-factor authentication. Also, customers will be able to choose their own federated multi-factor authentication. Sophos will also better ensure safe deployments through vigorous password creation enforcement during device setup.
The primary goal of CISA's Secure by Design initiative is to improve software security by enhancing software's inherent security — and secure manageability — as it's shipped from the manufacturer. By getting software makers to develop more secure code, implement reasonable security practices, and provide the public with transparent insights about their security practices, security of software can only increase. That should, sometime in the future, result in more secure and resilient enterprises.
No one knows for sure how long that will take.
