Risky Bulletin: Episode Summary
Episode: Sponsored: Using Carrots and Sticks to Get More Secure Software
Release Date: March 16, 2025
Host/Author: risky.biz
Introduction to Secure by Design Pledge
In this episode of Risky Bulletin, host Tom Uren engages in an insightful discussion with Matt Muller, a Field Sizer from Tynes, about the Secure by Design Pledge initiated by the Cybersecurity and Infrastructure Security Agency (CISA). The conversation delves into the significance of the pledge, its impact on the software industry, and the balance between incentivizing secure software development versus enforcing compliance through punitive measures.
Understanding the Secure by Design Pledge
Matt Muller provides a comprehensive overview of the Secure by Design Pledge, outlining its foundational principles aimed at enhancing the security of enterprise software. He explains:
"The CISA Secure by Design pledge is effectively a set of seven principles around designing enterprise software. So this is really targeted at the vendors who sell software to other enterprises, who sell software to government..."
[00:46]
Key commitments within the pledge include developing software using memory-safe languages and improving the inspectability of software to aid cyber defense teams in identifying intrusions.
Tynes' Commitment to Security
Tynes, a workflow, automation, and AI platform for security teams, proudly stands as the first next-generation automation and AI company to sign the Secure by Design Pledge. Matt Muller emphasizes:
"For us, signing the pledge was something that really sort of symbolized that commitment. ... It was very much a no-brainer decision to go sign the pledge."
[02:34]
He highlights that Tynes aligns with the pledge’s principles inherently, owing to its foundation by security practitioners dedicated to building secure enterprise software without imposing additional costs for essential security features like Single Sign-On (SSO).
Industry Perspective: Carrot vs. Stick
The discussion transitions to the effectiveness of the pledge as a carrot—an incentive for companies to adopt better security practices—as opposed to a stick, which would impose penalties for non-compliance.
Matt Muller articulates:
"I actually do think that the pledge is a bit of a carrot, is that you're able to signal that this is actually something that you're willing to invest in."
[04:38]
He argues that while the pledge encourages companies to invest in security improvements, it remains non-binding, relying on market incentives rather than strict enforcement to drive change.
Challenges for Legacy Systems
Addressing concerns about older companies with legacy codebases, Matt acknowledges the difficulties they face in meeting the pledge requirements:
"It is a lot easier for a company built on a modern software stack ... to sign on now, even if they recognize that they have maybe a legacy platform..."
[04:25]
He suggests that for such companies, signing the pledge represents a commitment to long-term security enhancement, despite the immediate challenges posed by existing vulnerabilities.
Evaluating the Pledge’s Effectiveness
The conversation shifts to assessing the progress and success of the pledge since its inception in May of the previous year. Matt contends that it's too early to deem the pledge a failure due to the short timeframe:
"I don't agree with that, with that lens. Like, the pledge has not achieved its goal yet."
[07:17]
He emphasizes the need for a longer evaluation period to genuinely measure the pledge’s impact on reducing software vulnerabilities and improving overall security standards.
Secure by Design vs. Unforgivable Bugs
Host Tom Uren introduces the concept of Unforgivable Bugs, based on a UK National Cyber Security Center (NCSC) white paper, juxtaposing it with the Secure by Design pledge. Matt expresses support for a balanced approach incorporating both incentives and penalties:
"I would love if they were both. ... Even thinking about making my purchase decisions, I too would love to be able to hold out a carrot and say, this is a partnership..."
[11:16]
He advocates for the integration of both carrots (incentives) and sticks (penalties) to foster a more secure software development environment, suggesting that accountability through measurable benchmarks like Unforgivable Bugs could complement the pledge’s framework.
Impact on Software Procurement and Standards
The episode further explores how the Secure by Design pledge influences software procurement decisions. Matt notes that security leaders are increasingly prioritizing such commitments during vendor evaluations:
"We have been asked about whether or not we were secure by design pledge signers. ... I hope that more customers start putting questions about secure by design and making the pledge into more of their questionnaires."
[08:56]
He underscores the evolving landscape where security certifications and philosophical alignment with security principles are becoming critical factors in choosing software vendors.
Conclusion and Future Outlook
In wrapping up, Matt Muller remains optimistic about the long-term benefits of the Secure by Design Pledge, anticipating a gradual improvement in software security standards as more companies adopt the pledge and integrate its principles into their development processes.
"The short term, you know, the pledge is, you know, saying, yes, we recognize that we all have to do better. ... it's important to symbolize that investment that you're making."
[05:03]
Host Tom Uren concludes the episode with a hopeful perspective, acknowledging the potential for enhanced security practices in the future as the industry continues to embrace both incentives and accountability measures.
This episode provides a nuanced examination of the strategies employed to bolster software security, highlighting the collaborative efforts between government initiatives and industry commitments to create a more secure digital landscape.