CISA's Secure By Design Pledge
If you spend any time in the Application Security space, at least in the United States, you will eventually will find that the US Government’s Cybersecurity & Infrastructure Security Agency published the Secure by Design best practices. It’s actually some pretty decent content.
What is actually pretty cool is they have made a voluntary Secure by Design Pledge. This pledge has currently over 200 signers and the signatories pledge to pritoritize the security of customers as a business requirement, and not a feature. The signatories would then implement Secure by Design principals such as:
- Multi-factor authentication(MFA)
- Default passwords
- Reducing entire classes of vulnerability
- Security patches
- Vulnerability disclosure policy
- CVE
- Evidence of intrusions
Even more so, the signers also provide progress reports on how the companies are progressing and their status. This is great transparancy for customers of the organizations that have taken the pledge.
Honestly, I am glad this a thing. I feel that all organizations producing software for external customers, well even internal customers as well, should consider taking a long look at this. The list of things on this pledge should be the defaults at organizations. If you are in the place to do so as a vendor, please consider this.
Happy coding!