Security Post CISA Secure by Design Pledge

Tech leaders recognize that there has never been a more crucial time to begin incentivizing routine security practices and across industry transparency. This is especially apparent to those that were among the first to sign CISA’s Secure by Design pledge, that select group of cybersecurity professionals are also cognizant of the importance of how we address and discuss the vulnerabilities and weaknesses that lie within software that is widely used.

Most of the vulnerabilities being exploited today are ones that could have been avoided. Below are some examples:

The Challenges of Weaknesses and Vulnerabilities

1. Putting all of your focus and security efforts onto the MITRE Top 25 can leave you vulnerable to a less known, highly weaponized weakness that’s relevant to your specific systems. Relying solely on the Top 25 based on CVSS scores is missing the big picture considering that our industry calls out for risk-based prioritization. For example, across CISA KEVs, eight of the Top 25 weaknesses are outside the MITRE Top 25. The same can be seen with the MITRE Top 25 list where nine out of the Top 25 weaknesses across ransomware-exploited CVEs are absent. This is starting to be remediated with MITRE itself acknowledging the gap and releasing its Top 10 CISA KEV Weaknesses in 2023.

2. There is also the harsh reality that older vulnerabilities that have been around for a while are not out of commission. This can be seen with XSS (cross-site scripting), developers are coding-in the same errors to web applications repeatedly. This is not done out of laziness or spite, but because modern web applications are often complex, with numerous interconnected dependencies and components.

3. We must equip developers with the knowledge they need if we want secure coding practices that have a greater focus on eliminating repeatedly exploited software weaknesses. The question that follows is typically, ‘how can developers know which class of weaknesses display these hazardous patterns?’ The answer lies within Known Exploitation Insights, which the five main types of weaknesses developers should work on addressing are:

1. Access Control
2. Improper Input Validation
3. Injection
4. Memory Safety
5. Resource Lifecycle Management

The bottom line is that many of the vulnerabilities that we know all too well that are listed in the Top 25 can be quelled through the implementation of better and more secure coding practices.

The stakes within the cybersecurity industry have never been higher than they are currently. This point is emphasized by CISA Director Jen Easterly:

“They [cyber attackers] are able to get into our critical infrastructure because of flaws and defects in our technology. But we have the power to change this. We can achieve long-term security through fundamentally more secure software. Building more secure software is the only way to catalyze more secure critical infrastructure.”

This is why CISA’s Secure by Design is so important and why Securin is proud to be a part of it. Secure by Design places secure practices at the core of everything pertaining to software and how we use it. Its seven pledges highlight the need for a holistic approach to mitigation and how there needs to be a more expansive view of risk.

To be precise: we need proactive cybersecurity.

Below are the Seven Secure by Design pledge goals – and the rationale behind them:

1. Increase multi-factor authentication (MFA) use:

The greatest defense against password-based attacks such as credential stuffing and password theft is MFA. Multi-factor authentication (MFA), in any configuration, has proven to greatly diminish the success rate of these attacks.

2. Reduce default password use:

Universally shared passwords – or default passwords – continue to be the catalyst for damaging cyber attacks. Replacing default passwords with more secure methods of authentication, such as MFA, is recommended to better protect yourself from these attacks.

3. Reducing entire classes of vulnerability:

The majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale via SQL injection, XSS, etc. Software manufacturers can reduce risk for their customers is by working to reduce classes of vulnerabilities at scale across their products.

4. Increase installation of security patches:

In addition to taking vulnerabilities out at source, software manufacturers can make it easier for customers to install security patches, such as by offering support and enabling automatic update functionality (by default, where appropriate).

5. Publish a vulnerability disclosure policy:

Coordinated vulnerability disclosure is a mutually beneficial norm for engaging with security researchers. In addition to a clear channel to report vulnerabilities, Security researchers receive authorization for testing under the policy. Software manufacturers benefit from receiving help from the security research community that can allow them to better secure their products.

6. Transparent vulnerability reporting (including accurate CWE and CPE fields in every CVE record):

In addition to serving as a standardized way to communicate actions that customers should take to protect against vulnerabilities, timely, correct, and complete CVE records allow for public transparency in vulnerability trends over time. This benefits individual companies and their customers alike, and the software industry more generally, by allowing software developers to better understand the most pressing classes of vulnerabilities over time.

7. Evidence of intrusions logs to facilitate customers in breach detection and prevention:

It is a necessity for organizations to detect cybersecurity incidents that have occurred and understand what happened. Software manufacturers can enable their customers to do so by providing artifacts and capabilities to gather evidence of intrusions, such as a customer’s audit logs. By doing this, software manufacturers embody the Secure by Design principle of taking ownership of their customers’ security outcomes.

Now What?

Cybersecurity is becoming part of the day-to-day software development and there is a new generation of software developers emerging that are tasked with operating in this newly converged IT/Security world. It is pleasing to see developers being encouraged to reduce the number of vulnerabilities in their products, because so often the conversation revolves around remediating vulnerabilities, when in actuality many vulnerabilities can be prevented on the assembly line before a product leaves the shop. To include the wider community and customers to aid in the security process, taking measures like including the vulnerability disclosure policy and security patch initiatives are great measures to take.

That is why CISA plays such a significant role in keeping the United States safe from cyberthreats, and it is our job as security leaders to recognize this and continue to sign pledges like Secure by Design that support the integrity of our critical infrastructure systems.

About the Authors

Kiran Chinnagangannagari is the Chief Product and Technology Officer at Securin. He is a highly accomplished and experienced executive with extensive experience in key leadership roles at major multinational companies. Kiran was the Co-Founder, President, and Chief Technology Officer at Zuggand, an Amazon Web Services Advanced Consulting Partner. Before Zuggand, Kiran was the Chief Technology Officer of the state of Arizona, where he was instrumental in advancing IT strategy and enabling efficient, innovative, and sustainable services. Passionate about helping people find solutions that make their lives easier, Kiran brings a deep understanding of leveraging technology to solve business challenges. Kiran can be reached online via LinkedIn and at https://www.securin.io/.

Ram is the Chairman and Chief Executive Officer of Securin Inc. Through his visionary approach and strategic decision-making, he has played a crucial role in establishing Securin Inc. as a reputable and pioneering figure in the cybersecurity domain. With a wealth of experience spanning more than two decades, Ram co-founded Cyber Security Works and RiskSense and held prominent positions at TIBCO Software. His educational background includes a Bachelor of Engineering degree from the Manipal Institute of Technology and a Master of Engineering degree with a specialization in Systems Engineering from the Georgia Institute of Technology. Recognized as a transformational leader at the WCRC Leaders Asia—The CEO Awards India 2022-2023, Ram’s passion for philanthropy is evident through his active support of community-impacting initiatives. Ram can be reached online via LinkedIn and at https://www.securin.io/.