Qualys Is Proud to Sign CISA’s Secure by Design Pledge

Jonathan Trull
Jonathan Trull, CISO and SVP Solutions Architecture, Qualys
- 4 min read

Last updated on: May 8, 2024

Table of Contents

Cybersecurity leaders in the U.S. are very familiar with the Cybersecurity and Infrastructure Security Agency (CISA) and their important work to keep the internet, our country, and its citizens safe from cyber threats. As part of their efforts, CISA has identified secure by design software as a key element to ensuring the integrity and security of our critical infrastructure.

That’s why I am proud to announce that Qualys is signing CISA’s Secure by Design Pledge. Qualys was founded to help companies minimize cyber risk, and one of our fundamental tenets is making the digital world safer for everyone. As our President and CEO, Sumedh Thakar, says (and I’m paraphrasing here), “You can’t go through a day without working with a company that Qualys protects.” With that much responsibility, we take our commitment to security seriously—the security of our customers, our organization, and the broader digital universe. Keeping our customers safe by including security as a foundational element embedded in our product is a fundamental part of this commitment.

Why Secure by Design Is Important

One of the best use cases for why this standard is important is what happened to Colonial Pipeline about two years ago. That breach occurred because of a default password. The pipeline that carries almost half of the East Coast’s fuel supplies shut down, and panicked customers sat in mammoth lines at the gas station—all because of a default password. These kinds of easily preventable incidents happen because, all too often, security in software products is seen as an afterthought. Products are released, vulnerabilities are exposed, and security is dealt with later.

At Qualys, we firmly agree with CISA that designing and maintaining a secure product is fundamental. As a cybersecurity company, our business runs on trust. Our customers trust that we have secure products that will keep their organizations and their most sensitive data safe. That’s why we have always believed that security is foundational and should be woven into a product’s lifecycle. And that’s why we’re committed to the secure by design principles.

The 7 Secure by Design Pledge Goals

The security by design principles seek to introduce security at the design stage of product development, massively reducing the number of risks in a product before it ever reaches the customer, and then follow along the lifecycle with things like simple and timely patches. The Secure by Design Pledge lists seven goals to help meet this philosophy. I firmly believe that all software manufacturers should institute these principles as part of their larger security program to keep their organization and customers safe, which is why Qualys meets and, in many cases, goes far beyond the security principles outlined in these goals. Those goals are:  

  • Reducing entire classes of vulnerability: Organizations will reduce the prevalence of one or more vulnerability classes, such as SQL injection or cross-site scripting, across all products.
  • Security patches: This part of the pledge applies after the product has shipped and asks that an organization make it easier for customers to install patches.  
  • Vulnerability disclosure policy (VDP): In order to incentivize the white hat disclosure of vulnerabilities, this goal requires vendors to publish a vulnerability disclosure policy that gives researchers a safe way to report vulnerabilities to the vendor.
  • CVEs: Here organizations agree to be accurate and timely in reporting the details for every Common Vulnerabilities and Exposures (CVE) record for their products.
  • Evidence of intrusions: This goal is meant to enable customers to detect and understand security incidents by requiring organizations to provide customers with the logs that would assist them in gathering evidence of intrusions.
  • Multi-factor authentication (MFA): Organizations agree to measurably increase the use of MFA across their products, with the goal to get more customers to use MFA.
  • Default passwords: Within a year, organizations will reduce the amount of default passwords in their products, particularly internet-facing products.

Conclusion

At Qualys, we have already implemented stringent security policies to keep our customers and products safe. We will be pleased to report to CISA within the year how we have achieved, if not exceeded, all of these secure by design pledge goals.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *