Nearly 70 leading US software companies have agreed to join a voluntary pledge drawn up by CISA urging developers to incorporate secure by design principles into their products.
CISA director Jen Easterly said she has seen real change in the software ecosystem since the initiative’s announcement in April 2023, and on 8 May CISA announced the first round of commitments from high-profile companies at the RSA Conference in San Francisco.
Easterly said the goal of the project is to promulgate better built in security to counter both the ongoing “scourge of ransomware” as well as a concerning rise in state-sponsored threat campaigns focussed on disrupting critical national infrastructure.
“[Nation-state threat actors] are burrowing into our critical infrastructure not for espionage, not for data theft, not for intellectual property theft, but specifically to launch disruptive and destructive attacks in the event of a major conflict”.
Easterly said this threat was “different in kind” to anything she has observed over the course of her career, and it is why the US government is prioritizing cyber resilience and implementing secure by design principles across as many digital products as possible.
The pledge consists of seven goals each with core criteria that defines what the manufacturers are pledging to work towards, which include examples of how they can demonstrate measurable progress towards achieving these targets.
Similarly, the pledge sets out a number of means by which the signees can demonstrate quantifiable progress towards their goals, but will give the companies some discretion to decide how best they can go about demonstrating their progress.
The first round of commitments included major players signing up to the pledge including Microsoft, IBM, AWS, CrowdStrike, GitLab, Sophos, Lenovo, NetApp, and HP.
Easy wins to bolster cyber resilience across the board
First up is increasing the use of multi-factor authentication (MFA) across software products, which it describes as the best defense against popular password-based attacks such as credential stuffing.
Companies that sign on to the pledge will be asked to take efforts to reduce the use of default passwords in their products, suggesting they switch to random, instance unique passwords or requiring the user create a strong password as soon as they begin the product’s installation process.
Within one year of signing the pledge, companies will also be expected to demonstrate the actions they have taken to significantly reduce the prevalence of one or more vulnerability classes in their products.
By eliminating vulnerabilities by class, CISA argues companies can prevent these flaws at scale which could significantly improve the efficiency of their efforts to keep their products secure.
The pledge wants software manufacturers to take ownership of the security outcomes of their customers, even after the product has been shipped.
As such, it targets increasing the installation of security patches by asking companies to make it easier to install the updates. This could be achieved through introducing automatic update mechanisms or by providing patch support, for example.
Timely vulnerability disclosure is another important aspect to ensuring companies stay secure. By next year, signees are expected to publish their own vulnerability disclosure policy (VDP) that provides a clear channel to report flaws.
Moreover, the pledge hopes to boost transparency further asking its signatories to commit to demonstrating material improvements in the accuracy of their vulnerability reporting by providing an accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for their products.
Finally, CISA wants companies to get better at recognizing and reporting unauthorized access to their internal systems. It states assenting companies should be able demonstrate a measurable uptick in their ability to gather evidence of cyber security instructions affecting their products.
“The only way we can make ransomware and cyber attacks a shocking anomaly”
The EU received formal approval on its own approach to boosting security postures across the board, the Cyber Resilience Act, in March 2024, which is a legal framework that sets out cyber security requirements for both hardware and software products sold in the region.
The framework targets similar problems currently rife among digital products such as improving the security of the software supply chain, and better vulnerability reporting from manufacturers, but importantly this approach is legally binding and those who fall foul could be prosecuted.
The UK has also introduced legislation looking to eradicate common security issues with its Product Security and Telecommunications Infrastructure (PSTI) act which, like the Secure by Design pledge, wants to get rid of default passwords - but in this case it's for smart devices, unlike software products.
CISA’s Secure by Design pledge does not incorporate hardware, but added that companies that wish to demonstrate progress in those areas are welcome to do so.
More importantly, the goals outlined in the pledge are not legally binding, and it is not clear if the signatories can pick and choose which targets they want to try to meet, as the agency will have little recourse if they were to take this approach.
Speaking to this concern, Easterly argued that the strength of the approach centers around transparency, where customers will be able to see which vendors are taking security seriously.
“It is a voluntary pledge but the great thing is we have a platform to be able to advance radical transparency and so consumers that have to make decisions about what technology they buy will see whether these technology manufacturers actually took those steps”, she explained.
“I think it is the only way we can make ransomware and cyber attacks a shocking anomaly, and that is to ensure that the technology is more secure.”
The fact the pledge already has 68 high-profile software manufacturers signed on suggests software developers are more than happy to signal to regulators they care about improving the baseline security of their products, and as such could prove to be a useful way of getting industry buy-in without having to resort to the threat of legislation.
