RSAC Some of the largest companies in the technology industry, including AWS, Microsoft, Google, Cisco, and IBM, are joining an effort led by the U.S. Cybersecurity and Infrastructure Agency to make a series of changes within a year to make their products more secure. He promised to take action.
CISA's Secure by Design pledge, signed by 68 organizations during Wednesday's RSA conference, allows them to “commit in good faith” to seven goals and visibly demonstrate progress within one year of signing the pledge. This is a voluntary promise. .
they are:
- Increase the use of multi-factor authentication (MFA) across your products.
- Reduce default passwords across products.
- Mitigates vulnerabilities across one or more classes.
- Increase customer installation of security patches.
- We allow the public to test our products, commit to not recommending or pursue legal action against anyone making a good faith effort to comply with the VDP, provide clear channels for reporting vulnerabilities, and: Publish a Vulnerability Disclosure Policy (VDP) that allows you to: Public disclosure aligned with coordinated vulnerability disclosure best practices and standards.
- Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in all CVE records for your products. We also issue CVEs in a “timely” manner, at least for critical and high-impact bugs.and
- Make it easier for customers to find evidence of intrusions affecting their products.
“Our goal for the community as a whole is to shift the burden of security from individuals and small businesses, end users who are not in the business of technology development or cybersecurity, to the technology manufacturers who are in the business of doing so. We are in the best position to address and manage it,” CISA Director Jen Easterly said during a document signing at the annual Cybersecurity Conference.
Easterly also cited the threat to U.S. critical infrastructure from Chinese government-backed cybercriminals, including Bolt Typhoon.
“Flaws and flaws in our technology allow them to penetrate our critical infrastructure,” she added. “But we have the power to change this. Together, we can achieve long-term security through fundamentally more secure software.”
In fact, Easterly warned that building more secure software is “the only way to promote more secure critical infrastructure.”
However, these efforts remain voluntary. And it's unclear whether the big tech companies that signed on will abide by the end of the deal, or whether the Fed will take any steps to summon companies that don't sign on.
We hear that the plan is to meet again at next year's RSA conference to get an update on what the 68 companies have achieved over the past year. Additionally, this pledge is open to any software maker, and CISA hopes to recruit even more participants by his 2025 event.
Perhaps unsurprisingly, the majority of the names on the list are security providers. That's why building secure software is a business imperative, says Christina Cacioppo, her CEO at security and compliance company Vanta.
“First and foremost, to the extent that we ourselves, especially as a security company, did something stupid like losing customer data, that would probably, and honestly should, be the event that spelled the end for the company,” Cacioppo said. he insisted. “Security companies live in glass houses. Make sure you do what you're supposed to do. So in that framework, that becomes a company-wide priority.” ®
