The US cybersecurity agency CISA is stepping up its efforts to improve security standards in enterprise-grade software: it is launching a voluntary commitment for manufacturers under the title “Secure by Design Pledge”. Companies that sign the commitment must take steps to bring their products closer to this goal within 12 months of signing. However, there is no legally binding effect.
Advertisement
To date, 68 companies have made the voluntary commitment, including cloud industry giants such as Amazon Web Services, Cloudflare and Google. Meanwhile, Apple and Facebook parent company Meta are conspicuous by their absence. Several other signatories, such as Microsoft, FortiNet, Cisco and Ivanti, have recently experienced serious security problems and have been met with harsh words and punitive measures by CISA.
Now it can’t just be lip service. Within one year of signing the commitment, every company is required to implement measures in seven areas. You should:
- Implement multi-factor authentication more intensively,
- Replace standard passwords such as “admin/password” with secure alternatives,
- Reduce susceptibility to at least one class of security vulnerabilities – such as SQL injection – across the entire product range,
- Achieve a significant improvement in how customers install security patches,
- Develop a regulation for the publication of security gaps (vulnerability disclosure policy, VDP),
- Quickly assign a CVE ID and relevant metadata to published security vulnerabilities
- Make it easier to collect information after a security incident, for example through logs.
On the Project page For the “Secure by Design Pledge,” CISA provides example measures that companies can use to boost their security efforts. It also calls on signatories to publicly document their progress.
The US cybersecurity authority offers extensive guidance on the principle of “Secure by Design”, for example on how to contain SQL injections and directory traversal gaps.
(cku)