Summary: Nearly 200 tech and cybersecurity companies have committed to the U.S.-led Secure by Design pledge, aimed at enhancing the security features of products sold to enterprise customers and retail consumers. This initiative, spearheaded by CISA, emphasizes the need for inherently secure products rather than merely increasing the number of security solutions available.
Threat Actor: Cybercriminals | cybercriminals
Victim: Tech and cybersecurity companies | tech and cybersecurity companies
Key Point :
- 189 companies have signed the Secure by Design pledge to improve product security.
- The initiative encourages built-in security features at the point of sale for better consumer protection.
- Legal experts highlight the lack of incentives for secure software development in the current market.
- Comparisons are drawn between software safety standards and regulations in food and automobile industries.
LAS VEGAS — Nearly 200 tech and cybersecurity companies have signed onto a U.S.-led pledge to bake more default secure features in their products when sold to enterprise customers or when they come off the shelf at retailers, a top American cybersecurity official said Thursday,
The Secure by Design pledge, led by the Cybersecurity and Infrastructure Security Agency, was first headlined at the RSA Conference in May, with some 70 firms pledging to manage vulnerability disclosure programs, track hackers’ attempts to breach their products and reduce default passwords used to log in to devices or applications during first-time setup, among other areas.
“We have a software quality problem,” said CISA head Jen Easterly, presenting to a large audience at the Black Hat cybersecurity conference, where she provided the update on the signatories. “We don’t need more security products, we need more secure products.”
CISA has been pushing secure product design since the agency’s inception in 2018. Multiple high-profile cyber incidents impacting the public and private sectors over the past year have galvanized interest in the concept, which encourages companies to design their offerings with built-in security features that come pre-installed at point-of-sale.
As of publication time, 189 companies have signed the pledge, according to CISA’s website.
Proponents of secure software standards have made comparisons akin to food or automobile safety laws, arguing that legal directives for software manufacturing would benefit all of society. Some software defects have existed for years but have not been entirely addressed.
Legal experts argue that the software market isn’t incentivizing secure development, with major manufacturers weaving clauses into contracts that make users accept the software “as is” upon purchase and installation, which forces customers to bear the entire risk of a product, including defects that could enable cyber exploitation.