TraitWare Signs the Secure by Design Pledge, Joining in CISA’s Quest for Strong Security for All.
In April 2023, CISA launched the Secure by Design initiative with the participation of other national and international organizations. This attempts to shift the responsibility of security from the consumer to the technology manufacturer. As part of their ongoing efforts to encourage companies to better defend against evolving cyber threats, this is an important step for cybersecurity.
A few introductory words from CISA’s Jen Easterly worth repeating:
“As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day.
Every technology provider must take ownership at the executive level to ensure their products are secure by design.”
But what exactly does it mean to be Secure by Design?
Here are the key points:
- Secure by Design products make the security of the end user a “core business requirement, not just a technical feature.”
- Security should be built into the product from the design phase of development, in other words, to reduce the number of exploitable flaws before they enter the marketplace.
- More importantly, products should be secure to use out of the box. Security should NOT be a bolt-on feature but inherent in the product’s architecture, and it should be shipped with secure configurations enabled by default.
- Security features such as Multi-Factor Authentication (MFA), Logging, and Single Sign-On (SSO) must be readily available at no additional cost to the consumer.
Where do organizations begin?
As always, cybersecurity has many moving parts and can be overwhelming, but CISA and participating organizations have posted recommended steps for companies to get started.
Here are the highlights:
- Eliminate default passwords: Products should not come with universally shared default passwords. To eliminate default passwords, the authoring agencies recommend that products require administrators to set a strong password during installation and configuration.
- Mandate [Phishing-Resistant] Multi-Factor Authentication (MFA) for privileged users. … “Products should make MFA opt-out rather than opt-in. Further, the system should regularly prompt the administrator to enroll in MFA until they have successfully enabled it on their account.”
- Single Sign-On: IT applications should implement single sign-on technology via modern open standards like Assertion Markup Language (SAML) or OpenID Connect (OIDC). And, as mentioned above, capability should be made available by default at no additional cost.
- User Experience is Key: “Consider the user experience consequences of security settings: Each new setting increases the cognitive burden on end users …” Ideally, the most secure setting should be integrated into the product by default. This is key because friction can lead to reduced adoption of the technology.
The Secure by Design Pledge
The Secure by Design Pledge consists of seven goals that express the company’s commitment to ensure secure application development and deployment practices and contribute to improved cybersecurity for users worldwide.
The seven goals of the pledge:
- Multi-Factor Authentication (MFA) across products
- Reducing exploitable default passwords across products
- Reducing entire classes of vulnerabilities
- Security patches – making it easier for customers to install them
- Releasing a vulnerability disclosure policy (VDP)
- Issue Common Vulnerability and Exposures (CVEs) record in a timely fashion
- Evidence of intrusions – enabling customers to gather any evidence of intrusions affecting products