LAS VEGAS – Nearly 200 technology and cybersecurity companies have joined a U.S.-led commitment to build more standard security features into their products when sold to enterprise customers or when they are available in retail stores, a senior American cybersecurity official said Thursday.
The “Secure by Design” pledge, led by the Cybersecurity and Infrastructure Security Agency, was first headlined at the RSA conference in May, with around 70 companies committing to managing vulnerability disclosure programs, tracking hackers’ attempts to break into their products and reducing the number of default passwords used during the initial setup of devices or applications.
“We have a software quality problem,” CISA chief Jen Easterly told a large audience at the Black Hat cybersecurity conference, where she gave an update on the signatories. “We don’t need more security products, we need more secure products.”
CISA has been promoting secure product design since the agency was founded in 2018. Several high-profile cyber incidents in the public and private sectors over the past year have sparked interest in the concept, encouraging companies to equip their offerings with built-in security features pre-installed at the point of sale.
At the time of publication, according to the CISA website, 189 companies have signed the commitment.
Proponents of secure software standards draw comparisons with food or automobile safety laws and argue that legal guidelines for software production would benefit society as a whole. Some software bugs have existed for years but have not been fully fixed.
Legal experts argue that the software market does not provide incentives for secure development, with major manufacturers adding clauses to their contracts that force users to accept the software “as is” when purchasing and installing it. This means that customers have to bear the entire risk of a product, including any defects that could lead to cyber exploitation.
