Barracuda is proud to announce that it has signed the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge, underlining our commitment to protecting small and medium-sized businesses across all sectors from complex cyberthreats.
In participating in the voluntary initiative, Barracuda along with more than 200 other software manufacturers pledge to integrate robust cybersecurity practices into products and service offerings.
According to CISA, “Americans need a new model to address the gaps in cybersecurity — a model where consumers can trust the safety and integrity of the technology that they use every day …. Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature.”
The pledge includes seven goals for demonstrating measurable progress in software design:
- Increasing the use of multifactor authentication (MFA) across products
- Reducing default passwords across products
- Enabling a measurable reduction of one or more vulnerability classes (e.g., SQL injections, cross-site scripting, memory safety vulnerabilities)
- Increasing the installation of security patches by customers
- Publishing a vulnerability disclosure policy (VDP)
- Transparently reporting on vulnerabilities
- Increasing the ability for customers to gather evidence of cybersecurity intrusions
“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” CISA Senior Technical Advisor Jack Cable said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”
Why Barracuda has signed the pledge: Insights from Barracuda’s CISO
To better understand why Barracuda has signed the Secure by Design Pledge, we spoke with Barracuda Chief Information Security Officer (CISO) Riaz Lakhani for his perspective on how the pledge will help customers and the security industry a whole.
As Barracuda’s CISO, what do you see as the risks and security benefits of signing the Secure by Design Pledge?
Signing the Secure by Design Pledge offers significant benefits for both our customers and the broader industry. By committing to this pledge, we are contributing to the creation of higher-quality security products across the board. This initiative encourages companies to integrate foundational security practices from the very beginning of the design phase, continuing through development, release, and updates. This proactive approach not only enhances the manageability of security but also reduces the burden on our customers by ensuring that security is built in rather than bolted on.
However, there are risks to consider. One of the core principles of the CISA Secure by Design Pledge is to embrace radical transparency and accountability. While transparency in cybersecurity is beneficial, it must be handled with care. Responsible disclosure is crucial to ensure that customers are not exposed to critical vulnerabilities without a fix. Balancing transparency with the need to protect sensitive information is essential to maintaining trust and security.
What pledge elements could have helped mitigate some recent industry breaches?
Over the last year, we have observed several instances where software vendors and their customers pointed fingers at each other when customer accounts were compromised. These breaches often resulted from leaked account credentials and the lack of MFA.
This scenario is not uncommon, as many software vendors face similar challenges with customers leaking passwords. The Secure by Design Pledge emphasizes the importance of implementing strong security measures, such as default MFA requirements. By mandating MFA, we can significantly reduce the risk of unauthorized access and mitigate threats stemming from credential leaks. This proactive measure would have been instrumental in preventing such breaches and protecting customer data.