Self-commitment: Over 60 manufacturers pledge to become "Secure by Design"

The US cybersecurity authority CISA is stepping up its efforts to improve security standards in enterprise software: Under the title "Secure by Design Pledge", it is launching a voluntary commitment for manufacturers. Companies that sign the pledge must take steps to bring their products closer to this goal within a twelve-month period after signing. However, the commitment is not legally binding.

To date, 68 companies have signed the voluntary commitment, including cloud industry giants such as Amazon Web Services, Cloudflare and Google. Meanwhile, Apple and Facebook parent company Meta are conspicuous by their absence. Some of the other signatories, such as Microsoft, FortiNet, Cisco and Ivanti, have had to contend with serious security problems in the recent past and were given harsh words and punitive measures by CISA.

Now they must not just pay lip service. Within one year of signing the commitment, each company is required to implement measures in seven areas. They should:

1. Implement multifactor authentication more strongly,
2. Replace standard passwords such as "admin/password" with secure alternatives,
3. Reduce vulnerability to at least one class of vulnerabilities – such as SQL injection – across the entire product range,
4. Achieve a significant improvement in the installation of security patches by customers,
5. Develop a vulnerability disclosure policy (VDP),
6. Quickly provide published vulnerabilities with a CVE ID and relevant metadata, and
7. Facilitate the collection of information after a security incident –, for example through logs –.

On the "Secure by Design Pledge" project page, CISA lists examples of measures that companies can use to boost their security efforts. It also encourages signatories to publicly document their progress.

The US cybersecurity authority offers extensive handouts on the principle of "Secure by Design", for example on mitigating SQL injections and directory traversal vulnerabilities.

(cku)