2024-11-08
How Organizations are Fulfilling CISA's Secure by Design Pledge
Over the past six months, nearly 250 organizations have signed the US Cybersecurity and Infrastructure Security Agency's (CISAÕs) Secure by Design Pledge. The Pledge comprises seven goals: increasing the use of multi-factor authentication (MFA); reducing default passwords; reducing entire classes of vulnerabilities, such as memory safety, cross-site scripting, and SQL injection vulnerabilities; increasing the level of patch installation; publishing a vulnerability disclosure policy; increasing transparency in vulnerability reporting by publishing CWE and CPE fields in every CVE record; and 'providing artifacts and capabilities to gather evidence of intrusions.' Multiple companies, including Amazon Web Services, Fortinet, Microsoft, Okta, and Sophos, have taken steps to fulfill the pledge.
Editor's Note
There are seven goals here, and the signatories are often touting success focused on one or two of them, or nominal progress across all seven. With CISA threatening to increase the number of goals, it's going to be tricky making sure that all are fully met, not just progress made. When assessing a provider's progress against secure by design, make sure you look at the whole picture with your own measure of acceptable progress/residual risk.
Lee Neely
Oh good, nothing makes me feel more secure than more vendors giving a pinkie promise to do better at security. We need stronger regulation to enforce responsibility, accountability, and liability on vendors for the security flaws in their products.