Kusari Signs the Secure by Design Pledge
The Secure By Design Pledge is a great starting point, but it can’t be the end.
Tim Miller
June 12, 2024
Kusari recently signed the Cybersecurity & Infrastructure Security Agency’s (CISA) Secure By Design pledge. The pledge outlines steps that companies should take to incorporate security practices into the design, build, and delivery of the technology we use every day. As a company focused on software supply chain security, it was a no-brainer for me to add Kusari’s name.
But I’ll be fully transparent here: there’s nothing in the pledge that I wouldn’t expect every company to already be doing. We provide Yubikeys to new hires to protect our data and the data of our customers, not to meet our pledge commitment to two-factor authentication. Many of the widely-used compliance standards like SOC 2 already require the sorts of activities in the Secure By Design pledge, but with one difference: there’s an audit to verify it.
Auditability is a key part of securing the software supply chain. Companies pay for an independent audit of their compliance because they know that their customers will demand verification. Consumers need more than the vendor’s word when it comes to security controls. Of course, you typically can’t get access to a vendor’s audit report until you’re a customer or well into the procurement process. There are legitimate reasons a vendor may want to keep parts of their report confidential, but some aspects are in the public interest to share, especially if you’re a customer of the vendor’s customer.
This is even more of a concern with open source software. Most open source projects don’t have the time, money, or interest to pursue an audit, and companies that use open source software don’t have the time to request and absorb an audit report from each project in their supply chain — even if the audits existed. Clearly we need something that scales in both production and consumption.
So what I’d like to see come from this is a trend towards automated and verifiable compliance with standards, not just self-attestations. Frameworks like the Supply-chain Levels for Software Artifacts (SLSA) can grow to include more requirements for and beyond the software build process. Software producers — from independent developers to large corporations — can make their attestations with in-toto so that consumers can verify each step. The tools exist, now we as an industry must start adopting them.
The Secure By Design Pledge is a great starting point, but it can’t be the end. If there are things in the pledge that your company is not currently doing, I encourage you to sign it and follow through on the implementation promises. Starting now is better than nothing; let’s keep working toward programmatic, verifiable attestations that improve the software supply chain for everyone.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
Previous
No older posts
Next
No newer posts
Want to learn more?