May 29, 2024 By Sue Poremba 4 min read

The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding.

But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to make a good-faith effort to ensure security measures are built into software and to work toward meeting seven security goals over the coming year.

“With the widespread public use of increasingly connected devices, there is a real urgency that everybody feels and is highly aware of. It is all about developing new and retrofitting old technologies and software with security as a core consideration,” Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), told a full room of representatives from a wide range of tech and cybersecurity companies, both large and small.

However, Easterly added, given the ever-changing and unprecedented level of cyber threats, especially those targeting the government and critical infrastructure, time has taken on a more important role. We can’t wait around for innovations to happen or to develop responses to new attacks.

“We have to make security a priority right now,” Easterly said. That’s the impetus of the Secure by Design movement. “The federal government can’t do this alone.” Private industry — the companies in the best position to address cybersecurity threats — is also best suited to take on the burden of managing security risks from the beginning of the development process.

Taking the pledge

When Secure by Design was introduced in 2023, 17 partners signed on to a white paper that began a global discussion about the principles of Secure by Design. In December 2023, CISA also introduced its Secure by Design alert series, which highlights how software manufacturers can eliminate entire classes of vulnerabilities. One recent alert, for instance, was about SQL injections, while another was on path traversal. These are steps that follow the Biden Administration’s cybersecurity strategy’s goal to take the burden of cybersecurity off the shoulders of business owners and software users and put the onus on the technology companies that can actually fix and prevent security risks.

The next step came on May 8 at RSAC, when nearly 70 companies voluntarily signed the pledge to put greater emphasis on security in features and taking the time to make sure the infrastructure has addressed potential vulnerabilities before the product is pushed to market. Since then, the number of companies signing on to the pledge has increased to nearly 100.

Those companies who have made the pledge include well-known tech giants like IBM, Google and Microsoft, as well as a variety of large and small cybersecurity companies. Many of the companies attending Easterly’s talk have already begun to implement the principles of Secure by Design, including some startups whose business is built around these principles.

What it means to take the Secure by Design pledge

According to CISA, the pledge is structured around seven goals, each with a core criteria. Every software manufacturer participating in the pledge will have the authority to decide how best to meet and demonstrate the core criteria of each goal within the parameters of their business.

These seven goals are:

  • Implement multi-factor authentication across products
  • Reduce or eliminate default passwords
  • Reduce classes of vulnerabilities
  • Increase installation of security patches
  • Develop and publish a vulnerability disclosure policy that authorizes testing by members of the public on products
  • Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products
  • Provide customers with the ability to gather evidence of cybersecurity intrusions affecting the manufacturer’s products

CISA is the agency spearheading Secure by Design, but it will be up to each organization that has signed the pledge to put the program into action and make it work. However, all the changes are voluntary, each organization has its own agenda and the technology suggested by the non-technical people may not work — which means that meeting the seven goals of Secure by Design is going to be an uphill battle.

Cloud-native companies may have the advantage since they don’t have legacy vulnerability problems, said Christina Cacioppo, CEO of Vanta, during a panel discussion. But cloud companies can also become lackadaisical about security.

What’s great with this pledge is that it’s a first cut at things we believe software providers should uphold, and the government and industry pressure can help push this along, said Cacioppo.

Why Secure By Design is vital now

Simply put, the threats have changed. Easterly warned that threats from China, for example, are more serious than ever before. Nation-state actors aren’t as interested in data or intellectual property theft as they were in the past. Their goal now is disruption and destruction of the critical infrastructure and the services Americans depend upon for everyday life. These threat actors are able to access critical infrastructure networks because they can find the flaws and defects in the technology.

CISA introduced the Secure by Design concept more than a year ago. Easterly and her team believe that developing fundamentally secure software can address the ongoing pattern of threat actors attacking flaws and companies rushing to find a fix before the real damage is done. The key is ensuring that the technology Americans rely on is built, tested and designed to be Secure by Design.

“It takes real courage to stand up and say you’re willing to make seismic changes to an industry that over decades has not prioritized security,” said Easterly. “I hope this serves as an inspiration to other companies out there.”

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today