CISA Secure By Design Plege

This year at RSA, CISA launched their “Secure By Design” program – a voluntary program where participants pledge to improve security measures in their products (and use their influence to improve security across our industry).

Though criticized by some as 'toothless,'(1) – I find it hard to be critical of any endeavor which highlights the needs for good cybersecurity efforts, if it saves one person from being hacked, saves one company from a devastating ransomware attack, it’s a worthwhile effort. I am proud that Reveald was one of the first companies to sign up.

The introduction by CISA contains the following text which I think is worth repeating:

It's true that software providers rely on end users to apply patches, to set strong passwords, to configure our systems properly, and I think it’s only right that all software vendors are encouraged to help our customers where we can.

I started my career very early on designing software solutions, and even then customers considered 'upgrades' a dirty word. It took me a couple of cycles to understand that updating an estate of devices was hard, risky, to be avoided, and I tried from then on to build seamless upgrades into every product I lead.

Today, we are in a completely different world – many of the products we rely on upgrade themselves invisibly – even my digital notebook occasionally delights me with a message “Update available, please restart”. Consumer devices like wifi routers now have unique admin passwords, and two-factor authentication is ubiquitous.

All these features help raise the barrier to commodity cyberattacks, and make it just that little bit harder for a cybercriminal to extort us.

I long for the day when criminals have to work hard to win, and this pledge, 'toothless'(1) though it might be, it helps move us one small step in that direction.

The 7 pledge goals to be achieved within 12 months:

1. Demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
2. Demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
3. Demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
4. Demonstrate actions taken to measurably increase the installation of security patches by customers.
5. Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
6. Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
7. Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.