Nearly 200 firms have signed pledge to build more secure software, top cyber official says

BlackJack3D/Getty Images

The initial tally began at around 70 companies when the Cybersecurity and Infrastructure Security Agency first headlined the initiative at the RSA Conference in San Francisco.

LAS VEGAS — Nearly 200 tech and cybersecurity companies have signed onto a U.S.-led pledge to bake more default secure features in their products when sold to enterprise customers or when they come off the shelf at retailers, a top American cybersecurity official said Thursday,

The Secure by Design pledge, led by the Cybersecurity and Infrastructure Security Agency, was first headlined at the RSA Conference in May, with some 70 firms pledging to manage vulnerability disclosure programs, track hackers’ attempts to breach their products and reduce default passwords used to log in to devices or applications during first-time setup, among other areas.

“We have a software quality problem,” said CISA head Jen Easterly, presenting to a large audience at the Black Hat cybersecurity conference, where she provided the update on the signatories. “We don’t need more security products, we need more secure products.”

CISA has been pushing secure product design since the agency’s inception in 2018. Multiple high-profile cyber incidents impacting the public and private sectors over the past year have galvanized interest in the concept, which encourages companies to design their offerings with built-in security features that come pre-installed at point-of-sale.

As of publication time, 189 companies have signed the pledge, according to CISA’s website.

Proponents of secure software standards have made comparisons akin to food or automobile safety laws, arguing that legal directives for software manufacturing would benefit all of society. Some software defects have existed for years but have not been entirely addressed.

Legal experts argue that the software market isn’t incentivizing secure development, with major manufacturers weaving clauses into contracts that make users accept the software “as is” upon purchase and installation, which forces customers to bear the entire risk of a product, including defects that could enable cyber exploitation.

NEXT STORY: NASA presses pause on SEWP VI