Today, Tidelift was proud to join other leading technology companies during a live ceremony at RSA in San Francisco where we signed the US Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design pledge. By signing this pledge, we are joining an industry-wide effort to ensure security is built into the design of tech products from the start.
Open source software is at the heart of all modern software applications, so proactively securing it is essential. We look forward to continuing our work with the independent open source maintainers behind over 5,000 community-developed projects to help other organizations ensure the third party open source packages incorporated into their products are Secure by Design as well, and we’ll be sharing more about our efforts during the next year.
If you are interested in learning more about CISA’s Secure by Design initiative, we found this video on the Secure by Design website featuring Bob Lord and Jack Cable, both Senior Technical Advisors at CISA, to be quite illuminating.
All of the companies signing this pledge are making a good-faith effort to work towards a set of important security goals over the following year, and publicly document their progress. The security goals included in the pledge are:
- Multi-factor authentication (MFA): Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
- Default passwords: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
- Reducing entire classes of vulnerability: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
- Security patches: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Vulnerability disclosure policy: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
- CVEs: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
- Evidence of intrusions: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Want to go deeper on the Secure by Design work CISA is leading? Be sure to join us this year at Upstream on June 5. Upstream is a free one-day virtual event bringing together open source maintainers and the people who use their creations. This year we have an exceptional lineup, including Jack Cable and Aeva Black from CISA, who will be joining me to discuss the Secure by Design initiative and how it applies to open source.