CISA Secure By Design Plege

Reveald pledges to CISA's initiative

Page Banner Image
Page Banner Image

This year at RSA, CISA launched their “Secure By Design” program – a voluntary program where participants pledge to improve security measures in their products (and use their influence to improve security across our industry).

Though criticized by some as 'toothless,'(1) – I find it hard to be critical of any endeavor which highlights the needs for good cybersecurity efforts, if it saves one person from being hacked, saves one company from a devastating ransomware attack, it’s a worthwhile effort. I am proud that Reveald was one of the first companies to sign up.

The introduction by CISA contains the following text which I think is worth repeating:

As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day.

CISA, May 2024

It's true that software providers rely on end users to apply patches, to set strong passwords, to configure our systems properly, and I think it’s only right that all software vendors are encouraged to help our customers where we can.

I started my career very early on designing software solutions, and even then customers considered 'upgrades' a dirty word. It took me a couple of cycles to understand that updating an estate of devices was hard, risky, to be avoided, and I tried from then on to build seamless upgrades into every product I lead.

Today, we are in a completely different world – many of the products we rely on upgrade themselves invisibly – even my digital notebook occasionally delights me with a message “Update available, please restart”. Consumer devices like wifi routers now have unique admin passwords, and two-factor authentication is ubiquitous.

All these features help raise the barrier to commodity cyberattacks, and make it just that little bit harder for a cybercriminal to extort us.

I long for the day when criminals have to work hard to win, and this pledge, 'toothless'(1) though it might be, it helps move us one small step in that direction.

The 7 pledge goals to be achieved within 12 months:

  1. Demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
  2. Demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
  3. Demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
  4. Demonstrate actions taken to measurably increase the installation of security patches by customers.
  5. Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
  6. Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
  7. Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

Simon Hunt | Chief Product Officer at Reveald Inc.

Cybersecurity leader with vast contributions to the industry including multiple patents, leadership within startups and Fortune 500 companies, and over a dozen successful M&A transactions. Excelling in product, innovation, user experience, and development leadership while fostering collaborative teams. Simon's mission: Stop cybercriminals from getting rich.