5.ShakingHands Esm W900

There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This development aims to address the increasing cybersecurity threats individuals and organizations face.

This article highlights the efforts of companies such as Microsoft, Google, and Apple to prioritize security by default in their products. These security measures include encryption, multi-factor authentication, and automatic security updates. 

What Does This Initiative Involve & What Are the Implications for Cybersecurity?

There has been a significant development in the tech industry as nearly 70 tech and cybersecurity companies commit to integrating default security features into their products. This "secure by design" pledge aims to enhance the baseline security of tech products and address vulnerabilities right from the point of sale. The initiative is led by the Cybersecurity and Infrastructure Security AgencyLinux Software Security2 (CISA) and supported by major companies, including Microsoft, IBM, and Amazon Web Services. This proactive move emphasizes the importance of cybersecurity in today's digital landscape and the need for secure software practices.

According to the CISA, the goals of this initiative include: 

  • Increase the use of multi-factor authentication (MFA) across their products;
  • Reduce default passwords across their products;
  • Reduce one or more entire classes of vulnerabilities;
  • Increase the installation of security patches by customers;
  • Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure in line with coordinated vulnerability disclosure best practices and standards;
  • Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for their products – and issue CVE in a "timely manner," at least for critical and high-impact bugs; and
  • Make it easier for customers to spot evidence of intrusions affecting their products.

Open Source: Pioneering the 'Secure-by-Design' Revolution

Open Source MonitoringAs Linux admins, infosec professionals, internet security enthusiasts, and sysadmins, this development is significant as it demonstrates a proactive approach to cybersecurity. We know the benefits of built-in security, a key part of the open-source development model. Open-source software has publicly accessible code that anyone can view and contribute to, fostering thorough review by a vibrant worldwide community and resulting in the rapid detection and elimination of security issues. Software vulnerabilities cause the vast majority of breaches, and the initiative to embed security features directly into products could greatly reduce these risks. Embracing the open-source model would further enhance the inherent security of software developed under the secure-by-design initiative. 

The partnership between tech companies and cybersecurity experts to create more robust security features is particularly noteworthy. One security researcher states, "This collaborative effort will help address complex security challenges and lead to more resilient products." This collaboration is crucial in bridging the gap between theoretical security practices and real-world implementation. It raises questions about how this collaborative effort will impact the overall security landscape and whether it will result in a more standardized approach to security across different products.

Another aspect to consider is the long-term consequences of this initiative. While embedding security features in products is a positive step, it could also create a false sense of security among users. One cybersecurity consultant warns, "Relying solely on built-in security features may lead users to believe they are invulnerable to attacks." This raises concerns about user complacency and the need for ongoing education and awareness campaigns to ensure that users understand the limitations of these built-in security measures.

Moreover, although the tech companies involved have signed the CISA's secure-by-design pledge, it is crucial to note that their commitments are voluntary. There are currently no measures in place to ensure that those who have signed on will hold up their end of the agreement. This is a critical consideration, as it is one thing to say you will adhere to a commitment and another to honor it in actuality. More must be done to ensure that companies uphold their promise to provide users with foundationally secure software.

The impact of this initiative on security practitioners is significant. It could streamline security practices and reduce the burden of continuously patching vulnerabilities. However, it also raises concerns about vendor lock-in and the potential for companies to monopolize the security software market. As open-source advocates, it is essential to interrogate how this initiative aligns with the principles of openness, transparency, and collaboration that are the foundation of Linux and other open-source technologies.

Our Final Thoughts on This Push for Built-in Security

This initiative is a promising development in the tech industry. While it brings a positive shift towards proactive cybersecurity measures, it also raises questions about collaboration, a false sense of security, compatibility, and the balance between convenience and robustness. As security practitioners, it is crucial to critically analyze these implications and continue advocating for open-source practices and user education to strengthen overall security.