Software vendors are flocking to CISA’s Secure by Design Pledge

More than 180 software companies have signed up to CISA’s voluntary Secure by Design Pledge to take greater responsibility for the security of their products.

The pledge requires software vendors to place added emphasis on building security principles into the design and manufacture of their products.

CISA director Jen Easterly announced the project in April 2023, revealing the first round of commitments from high-profile companies including HP, IBM, AWS, NetApp, and Microsoft at the RSA Conference in May 2024.

As of 8 May, Easterly revealed the pledge had already received around 70 signees in this first round, and the program appears to be picking up momentum with approximately another 100 joining up over the following months.

The latest of these was enterprise identity specialist SailPoint, which announced on 30 July it would be taking the pledge, committing itself to seven distinct goals, each aimed at boosting the security of software products before they hit the market.

Rex Booth, CISO at SailPoint, said every technology company has a role to play in the continuing effort to stay ahead of threat actors and raise levels of cyber resilience across the board.

“Every technology provider is an unwitting part of the cyber battlespace. But unlike in the physical world, there’s no cyber army coming to our rescue. Each of us is responsible for the security of our products and, by extension, the security of those we serve,” he explained.

“The Secure by Design pledge is a great way to promote a sense of communal responsibility among those of us with the greatest potential for impact. At SailPoint, we are proud to join our peers and support this important initiative.”

Secure by Design Pledge will push firms to take ownership of security outcomes at the executive level

The founding goal of the Secure by Design Pledge is to encourage software builders to shoulder more of the responsibility for ensuring their solutions are secure when they reach the hands of end-users.

“As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives,” CISA stated in a blog announcing the pledge.

‘Every technology provider must take ownership at the executive level to ensure their products are secure by design”.

The seven goals CISA wants firms to focus on reflect attack techniques it has observed in the current threat landscape, including increased use of multi-factor authentication (MFA), timely vulnerability disclosure, reducing use of default passwords, and improving customers’ ability to gather evidence of cyber intrusions affecting the manufacturer’s products.

The program asks software vendors to be able to demonstrate measurable progress towards achieving each of its seven targets, and one signee – Sophos – recently updated customers on its progress.

Sophos’ update gave further details on how it plans on meeting each of its seven targets, which include releasing passkey support for its cloud management, prohibiting the use of default credentials in all current and future products, as well as releasing a feature by September 2025 that will enable customers to automatically schedule updates for their Sophos Firewall.

Ross McKerchar, CISO at Sophos, noted that the project is not about meeting the goal and resting on one’s laurels, but instead to create a new way of thinking about how software products are designed.

“This is not a one and done initiative that CISA has created – it’s a much-needed way of thinking and framework that should be built into the design and architecture of security solutions”