RSAC 2024: Vendors sign CISA’s secure by design pledge

May 08, 2024 - SAN FRANCISCO, Calif. -- At an RSA Conference event held on May 8, security leaders representing more than 50 vendors signed a secure by design pledge, spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA).

CISA defines secure by design products as those in which “the security of the customers is a core business requirement, not just a technical feature.”

Companies that adopt these principles consider security during the design phase and throughout the product’s lifecycle, minimizing exploitable flaws along the way, CISA states.

“Government can’t do this alone, private industry can’t do this alone. We have to bring the community together,” CISA Director Jen Easterly said during the RSA Conference event.

“So, our goal for the entire community is to shift the security burden from individuals and small businesses – in other words, end users whose business is not a technology development effort – to technology manufacturers whose business it is, and who are in the best position to address and manage security risk from the start.”

The secure by design pledge is voluntary and focuses on enterprise software products and services, including cloud services, SaaS, and on-premises software. Companies that signed the pledge were asked to consider seven core goals and demonstrate their progress toward those goals within one year of signing the pledge.

The goals range from foundational efforts such as increasing the use of multi-factor authentication (MFA) and reducing default passwords across products to reducing entire classes of vulnerabilities and publishing a vulnerability disclosure policy.

Each goal outlined in the pledge also includes examples of demonstrating measurable progress, and relevant context that aligns the goal to a select secure by design principle.

“Adversaries like Volt Typhoon are getting into our critical infrastructure in ways where the friction is just not there. They are able to get into our critical infrastructure because of flaws and defects in our technology,” Easterly continued.

“But we have the power to change this, and we don’t have to be chained to the way things are. We can together achieve long-term security through fundamentally more secure software.”

Microsoft, AWS, Google, Cisco, and dozens of other companies signed the pledge, committing to continuing their focus on secure by design efforts. For many companies, the goals outlined in the pledge are already top-of-mind.

“Secure by design has been the cornerstone of Google's security work from the very beginning. It's a concept built around the guiding principle of the safety and security of our enterprise customers and end-users,” said Heather Adkins, vice president and cybersecurity resilience officer at Google, in a statement of support for the pledge.

“We're thrilled to be joining forces with CISA and our industry peers to further amplify secure by design and make people safer online.” 

Claroty, a company that previously acquired Medigate and offers healthcare cybersecurity solutions, also signed the pledge and noted the challenges that come along with mitigating risks in cyber-physical systems.

“The good news is that entire classes of risk can be addressed with the common sense goals laid out in the Secure by Design pledge,” said Grant Geyer, chief product officer at Claroty.

“While Claroty already meets or exceeds most of these goals, we pledge to lead by example and continue making marked improvements across these and other objectives."

The secure by design pledge is not legally binding, but CISA encouraged signees to document and publish their efforts to meet these goals.