Being among the first to sign CISA’s Secure by Design pledge at RSA was a highlight for us at Securin. As tech leaders, we know there’s never been a better – or more crucial – time to incentivize good security practices and transparency across industries.
It also underlines the importance of reframing how we talk about and address the fundamental challenge of vulnerability and weakness in widely used software. As our own research at Securin indicates, many of the vulnerabilities exploited today are ones that could have been prevented. Let’s take a look:
Challenges of Vulnerabilities and Weaknesses
1. If you focus priorities and efforts entirely on the MITRE Top 25, there’s a good chance you’ll miss a highly weaponized, less known weakness that’s relevant to your specific systems. Think about it: our industry is calling out for risk-based prioritization, but we rely on a Top 25 based on CVSS scores. Nine out of the Top 25 weaknesses across ransomware-exploited CVEs are absent from the MITRE Top 25 list. We see the same concerning trends across CISA KEVs, where eight of the Top 25 weaknesses are outside the MITRE Top 25.
These variations on weaknesses that foster exploitation versus the MITRE Top 25 can impede progress in the encouraging Shift Left movement. On the bright side, MITRE itself acknowledges the gap; since 2023 it has released its Top 10 CISA KEV Weaknesses.
2. There’s also the unfortunate reality that while some vulnerabilities have been around for a long time, they’re not gathering any dust: as we see with cross-site scripting (XSS), developers are coding-in the same errors to web applications over and over again. Not out of malice or slackness, but because modern web applications are often complex, with numerous interconnected components and dependencies.
3. But if we want secure coding practices, and a focus on eliminating repeatedly exploited software bugs and weaknesses, we have to equip developers with the knowledge and insights they need. How can they know which class of weakness exhibit these dangerous patterns? The answer is based on Known Exploitation insights, in our next bullet point…
4. Top 5 Weakness Categories developers should focus on eliminating:
- Memory Safety
- Injection
- Access Control
- Improper Input Validation
- Resource Lifecycle Management
Bottom line: Many of the all-too-familiar vulnerabilities in the Top 25 can be mitigated through more secure coding practices. As CISA Director Jen Easterly underlined, the stakes have never been higher:
“They [cyber attackers] are able to get into our critical infrastructure because of flaws and defects in our technology. But we have the power to change this. We can achieve long-term security through fundamentally more secure software. Building more secure software is the only way to catalyze more secure critical infrastructure.”
That’s why Securin is so proud to be a part of Secure by Design: it places secure practices at the heart of everything we do with software. Above all, the seven pledges underline the need for a more expansive view of risk, and a holistic approach to mitigation: for example, vulnerability management and mitigation in software are crucial, but it’s important to augment that with strong passwords and multi-factor authentication (MFA).
In short: It’s proactive cybersecurity.
Let’s take a look at the seven pledges…
CISA’s Secure by Design Goals
The Seven Secure by Design pledge goals – and the rationale behind them are:
1. Increase the use of Multi-factor authentication (MFA):
MFA is the greatest defense against password-based attacks such as credential stuffing and password theft. Any form of MFA has been shown to significantly reduce the success of such attacks.
2. Reduce the use of default passwords:
Default – or universally shared passwords present by default across a product – continue to enable damaging cyber attacks. Default passwords should be replaced with more secure authentication methods, such as MFA and the other goals on this list.
3. Reducing entire classes of vulnerability :
The vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale – e.g. SQL injection, XSS. An effective way that software manufacturers can reduce risk for their customers is by working to reduce classes of vulnerabilities at scale across their products.
4. Increase installation of security patches:
In addition to rooting out vulnerabilities at source, software manufacturers have the ability to make it easier for customers to install security patches, such as by offering support and enabling automatic update functionality (by default, where appropriate).
5. Publish a vulnerability disclosure policy:
Coordinated vulnerability disclosure has emerged as a mutually beneficial norm for engaging with security researchers. Software manufacturers benefit from receiving help from the security research community that can allow them to better secure their products. Security researchers receive authorization for testing under the policy, in addition to a clear channel to report vulnerabilities.
6. Transparent vulnerability reporting, including accurate CWE and CPE fields in every CVE record:
In addition to serving as a standardized way to communicate actions that customers should take to protect against vulnerabilities, timely, correct and complete CVE records allow for public transparency in vulnerability trends over time. This benefits both individual companies and their customers, and the software industry more generally, allowing software developers to better understand the most pressing classes of vulnerabilities over time.
7. Evidence of intrusions logs to facilitate customers in breach detection and prevention:
It’s essential that organizations have the ability to detect cybersecurity incidents that have occurred and understand what has happened. Software manufacturers can enable their customers to do so by providing artifacts and capabilities to gather evidence of intrusions, such as a customer’s audit logs. In doing so, software manufacturers embody the Secure by Design principle of taking ownership of their customers’ security outcomes.
What’s Next?
From Securin’s perspective, we particularly welcome steps 3,4,5,6 and 7. As champions for a proactive approach to cybersecurity, we believe that these steps will go a long way towards providing the all-important context that’s crucial to delivering the comprehensive vulnerability intelligence organizations of all sizes and sectors need.
A new generation of software developers and DevSecOps are tasked with operating in a world where IT and security are converging. Cybersecurity is becoming part of the day-to-day software development. And part of that will be finding the weakness before it becomes a vulnerability. As Securin CEO Ram Movva puts it:
“We’re pleased to see developers encouraged to reduce the number of vulnerabilities in their products. The discussion around cybersecurity appropriately revolves around remediating vulnerabilities, yet many vulnerabilities can be prevented on the assembly line before a product leaves the shop. Including the vulnerability disclosure policy and security patch initiatives are great measures to include the wider community and customers to help in the security process.”
As cybersecurity leaders, we recognize the crucial role CISA plays in keeping the United States safe from cyber threats – and the role that secure by design software plays in underpinning the integrity and security of our critical infrastructure.