68 tech names sign CISA's secure-by-design pledge

RSAC Some of the biggest names in tech – including AWS, Microsoft, Google, Cisco and IBM – have signed up to a US Cybersecurity and Infrastructure Agency-led effort and promised to take a series of actions within a year to make their products more secure.

And we're so sure they will.

CISA's Secure by Design pledge – signed by 68 orgs during RSA Conference on Wednesday – is a voluntary commitment to "make a good-faith effort to work towards" seven goals within a year of signing the pledge, and be able to measurably show their progress.

They are:

• Increase the use of multi-factor authentication (MFA) across their products;
• Reduce default passwords across their products;
• Reduce one or more entire classes of vulnerabilities;
• Increase the installation of security patches by customers;
• Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure in line with coordinated vulnerability disclosure best practices and standards;
• Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for their products – and issue CVE in a "timely manner," at least for critical and high-impact bugs; and
• Make it easier for customers to spot evidence of intrusions affecting their products.

"Our goal for the entire community is to shift the security burden from individuals and small businesses – in other words, end users whose business is not a technology development effort or cyber security – to technology manufacturers whose business it is, and who are in the best position to address and manage security risks from the start," CISA director Jen Easterly said during the doc's signing at the annual cyber security conference.

Easterly also noted the threats to US critical infrastructure from Chinese government-backed cyber thugs including Volt Typhoon. 

"They are able to get into our critical infrastructure because of flaws and defects in our technology," she added. "But we have the power to change this. We can, together, achieve long-term security through fundamentally more secure software."

In fact, building more secure software is "The only way to catalyze more secure critical infrastructure," Easterly warned.

Still, these commitments remain voluntary. And it is unclear whether the tech titans who have signed on will hold up their end of the agreement – or whether the Feds will do anything to call out those who don't.

• CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly'
• CISA's early-warning system helped critical orgs close 852 ransomware holes
• UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection
• America's War on Drugs and Crime will be AI powered, says Homeland Security boss

The plan, we hear, is to reconvene at next year's RSA Conference for an update on what the 68 have accomplished over the last year. Plus, the pledge is open to any and all software manufacturers, and CISA hopes to recruit more participants before the 2025 event.

Perhaps unsurprisingly, a big chunk of the names on the list are security providers. As such, building secure software should be a business imperative, according to Christina Cacioppo, CEO of security and compliance firm Vanta. 

"First and foremost, especially as a security company ourselves, to the extent we do something silly that causes us to lose customer data, it is likely – and honestly probably should be – a company-ending event," Cacioppo argued. "As a security company, you live in a glass house. Make sure you're doing what you should do. And so, with that frame, it's very much a company-wide priority." ®