Sign in / up

back to article 68 tech names sign CISA's secure-by-design pledge

Some of the biggest names in tech – including AWS, Microsoft, Google, Cisco and IBM – have signed up to a US Cybersecurity and Infrastructure Agency-led effort and promised to take a series of actions within a year to make their products more secure. And we're so sure they will. CISA's Secure by Design pledge – signed by 68 …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Zibob Silver badge

    Can we start legal proceedings now?

    This is a plain, bold faced lie. They will say whatever it takes to make sure the juicy government money keeps on flowing.

    So knowing that this has zero oversight, enforcement or repercussions when it fails, can we just start building the case right now on the basis that they are lying from second zero.

    Security will continue to be a lamentable clown show, where the right thing is visible but skipped over in favour of the money potential.

    10 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Can we start legal proceedings now?

      Agree.

      Instead, companies above a certain market cap or turnover (not profit - too much margin for accounting games) should be made liable for the problems. Do that and it will either be fixed in a year - or the amount of money spent on lobbying will double, of course (IMHO more likely).

      Prime example: Microsoft. If anyone calls the new Outlook they've been trying to ram down our throats for the last few months anything more than a beta they have not experienced decent software before.

      3 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Outlook...

        "Prime example: Microsoft. If anyone calls the new Outlook they've been trying to ram down our throats for the last few months anything more than a beta they have not experienced decent software before."

        FTFY.

        6 0 Reply
  2. Mike 137 Silver badge

    "Reduce one or more entire classes of vulnerabilities"

    "one or more" -- guess which will be done (with luck), and then only "reduce". But it occurs to me that if they were to succeed in significantly reducing a single class of vulnerability (a.k.a. bug) they would have to have put in place the management processes to do the same for most other classes. What will probably happen is that they will set up blacklist check for a specific coding error and disregard any bug with similar effect that doesn't match it exactly. There's long standing evidence of this approach -- patches that trap specific malicious data rather than addressing the weakness that reacts badly to a wider range of malicious data.

    In any case, the list of actions hardly touches the extent of the real issues as it's purely technocentric, whereas adequate engineering is grounded in robust management processes. So "secure by design" remains a very long way off. The CISA seems rather prone to developing potentially worthwhile initiatives that can nevertheless be easily sidestepped by those signing up to them -- witness the 2023 secure software attestation form.

    8 0 Reply
  3. Doctor Syntax Silver badge

    No doubt the words of the pledge will be as meaningful to them as such statements as: "Your privacy/security is important to us.", "We always put security first." and the evergreen "Only a small number of customers were affected.".

    13 0 Reply
    1. Anonymous Coward
      Reply Icon
      Joke

      The cynicism is much strong on this forum

      Remember, a techie can feel the cynicism flowing through him.

      6 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The cynicism is much strong on this forum

        Some people call it experience.

        For anyone not having experience, it often looks like cynicism.

        3 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: The cynicism is much strong on this forum

          And unfortunately it only takes one major flaw to compromise quite a large chuck of most companies these days. MGM much…

          The big tech companies all have extensive internal security programs but the AppSec engineer can only be as good as what information is given. Fixing systemic issues in big tech also takes a little more than just a bunch of security patches.

          More systems -> more security holes.

          I’ve seen most security issues down played most of my career. Shortcuts will be taken where business chooses profits over spending time fixing security issues - usually nothing major, until it is…

          Red teams can only dig into so many things at a time, and usually when flagged it takes years to properly fix.

          Question remains, do we have years?

          0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    What a ... joke

    Fell off my chair, Microsoft secure by design, where's my inhaler.

    9 0 Reply
    1. vtcodger Silver badge
      Reply Icon

      Re: What a ... joke

      Your inhaler? Best watch that stuff. If you take a hit every time Microsoft makes an ahem ... questionable ... statement you are likely headed for big trouble.

      7 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Solar Winds, anyone?

    No mention of making DEVELOPMENT ENVIRONMENTS secure!!

    Strange.....but no surprise really!!

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Solar Winds, anyone?

      Come on, do you really think any of these players is serious about this pledge?

      Marketing and lies, but I repeat myself..

      3 0 Reply
  6. Bebu
    Windows

    By design?

    Looking at the CISA list it looks more like by process to me. More of an agenda than a specification.

    Secure is just correctness with a restricted set of concerns namely the specification's security properties.

    It's the same old hard problem of verifiably correct software composing verifiably correct systems.

    Secure by design should mean the construction of the system or software uses the specification of security properties as its primary design document which should also guide the construction processes with an eye to continuously verifying the product against the specification. Something like this, many years ago [1990], was called software or program derivation by analogy with the proof process in mathematics.

    Considering the development processes and culture, quality control and sheer size of these players' code bases the CISA program is less a case of pissing into the wind than shitting in the face of a hurricane.

    We will have fusion powered flying cars before we have secure correct software.

    2 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    "promised to take a series of actions within a year to make their products more secure."

    More secure *for them* of course. Not the corporations or people to be fleeced: They exist solely to be robbed blind.

    'More secure' also refers to the flow of money these corporations get by stealing from anyone who can't escape vendor lock-in. Same as 'more secured profits'.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like