A total of 68 tech firms have signed onto the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge under which they will use best efforts over the next year to build better security into their products.
CISA unveiled the roster of pledge takers – which includes Big Tech stalwarts Microsoft, Cisco, and Amazon Web Services – on Wednesday evening at the RSA Conference in San Francisco. CISA Director Jen Easterly previewed the news at the conference earlier this week.
The Secure by Design pledge effort follows on CISA guidance issued in April 2023 that urges “software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers.”
The new Secure by Design commitments are being made voluntarily, CISA said, and aim to produce progress over the next year to:
- Increase the use of multi-factor authentication;
- Decrease the use of default passwords;
- Reduce the “prevalence of one or more vulnerability classes across the manufacturer’s products”;
- Increase the installation of security patches by customers;
- Publish vulnerability disclosure policies that authorizes testing by customers and provide a “clear channel” to report vulnerabilities, and to publicly disclose them “in line with coordinated vulnerability disclosure best practices and international standards”;
- Report accurate “Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products”; and
- Increase the “ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.”
The 68 companies that have signed the pledge are: 1touch.io, Akamai, Amazon Web Services, Apiiro, Armis, Automox, BigID, BlackBerry, Bugcrowd, Chainguard, Cisco, Claroty, Cloudflare, CrowdStrike, Cybeats, Resilience, ESET, Everfox, Finite State, Forescout, Fortinet, Gigamon, GitHub, GitLab, Google, Hewlett Packard Enterprise, HiddenLayer, HP, Huntress, IBM, Infoblox, InfoSec Global, Ivanti, Kiteworks, Lasso Security, Lenovo, Manifest, Microsoft, N-able, NetApp, Netgear, Okta, Palo Alto Networks, Pangea, Proofpoint, Qualys, Rapid7, Red Queen Dynamics, Scale AI, Secureworks, Securin, Security Compass, SentinelOne, Socket, Sonatype, Sophos, Tenable, ThreatQuotient, ThriveDX, Tidelift, Trellix, Trend Micro, Vanta, Veracode, Veritas Technologies LLC, Wiz, Xylem, and Zscaler.
“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation,” Easterly said upon releasing the pledge list. “I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design.”
“I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box,” the CISA director said.
Jack Cable, senior technical advisor at CISA, said that “the items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline.”
“Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security,” Cable said. “I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”