Pledge vs Reality – Secure by Design

A few weeks ago, I stumbled upon the website of a company that has recently nominated itself to be part of the “Secure of Design,” an endeavor championed by the Federal government and reinforced via several executive orders and corresponding guidelines disseminated by the Cybersecurity and Infrastructure Security Agency (CISA).

In its ignorance, I saw how the company’s marketing engine plastered the walls of LinkedIn to proclaim how they are now “Secure by Design” by joining the elite club of who’s who in cybersecurity. A vanity contest of self-congratulations ensued, as if merely being in that club made a product company “Secure by Design.” Nevertheless, the enthusiasm of this vendor was commendable.

First of all, “Secure by Design,” as part of the federal administration effort to enhance cybersecurity and bolster American competitive advantage, is re-iterated and promoted (or more accurately promulgated via a series of activities) through executive order.[1] Executive orders, by definition, are decrees by the magistrate, which are not permanent as they are not substantiated by the sovereign. Nevertheless, sometimes magistrates issue decrees that serve the general interest, even if not necessarily the general will. This executive order is good for the general interest because there is a growing call for product manufacturers to be liable for defects stemming from inadequate engineering practices. However, it could be detrimental to the general will because small companies with shoestring budgets might struggle to meet such criteria, leading to difficult tradeoffs.

Although these criteria are voluntary, the earlier example of aggressive marketing creates a fear of missing out. Small and mid-market companies, the lifeblood of the American economic engine and growth, now face additional criteria to compete with bigger behemoths/corporations despite having novel and tangible offerings and having done things right from the get-go. This creates an artificial fiscal barrier to economic growth.

Alternatively, One can think of a wheat producer suddenly investing and producing cybersecurity goods because the return on investment is most lucrative. This is not a bad practice; if we say that s/he is wrong to do so, then it makes us very bad capitalists. A good capitalist only cares about what industry and goods s/he ventures into as long as the return on that particular industry is very good as opposed to wheat production. Put simply, the aforementioned vendor embodies sound capitalist principles by venturing into the cyber security industry, yet their marketing practices seem relatively poor and somewhat deceitful. Nonetheless, it’s reasonable for the company to compete in the cybersecurity industry.

Pledging allegiance to a concept and joining the elite club is not the same as performing activities based on recommended guidelines and, more importantly, withstanding independent scrutiny for at least every major product built by a validation organization. This activity of withstanding independent scrutiny can be viewed as a duty, transforming an act of allegiance into a right.

SecureIQLab published a groundbreaking report on Web Application and API protection (WAAP) a few weeks ago at RSA. It was groundbreaking because it was the first objective test with results based on Security efficacy, Operational efficiency, and “Secure by Design.” While some analyst firms have previously published numerous materials on WAAP, those were highly subjective[2]. Subjective materials rely heavily on their psychological influence on readers, meaning that one’s state of mind affects their perception of the report.

In contrast, the SecureIQLab approach was objective, meaning the value of our results is independent of the human mind that creates or understands them. You can read the comparative and individual reports here. Conclusions should be derived independently of personal feelings and attitudes towards the products.

So, what does the objective approach taken by SecureIQLab have to do with “Secure by Design”? As I articulated earlier, pledging allegiance to a concept doesn’t necessarily mean adhering to it. SecureIQLab took the CISA guidelines a step further by converting them into objective test cases. These test cases were used to evaluate WAAP product vendors for “Secure by Design.” Vendors who met all those criteria were recognized as “Secure by Design” Graduates. Here are those graduates[3] :

You can look here to see and understand those objective assessment criteria. These vendors demonstrated full capabilities in meeting these criteria. It’s not about getting a 92 and earning an A to graduate; you need a perfect score of 100, or you fail. In other words, other labs or agencies may award an A for a 92, but SecureIQLab requires perfection for graduation. Cybersecurity is serious, and so are we; hence, the criteria for perfect scores.

Now, some of these vendors who graduated under our criteria have also pledged allegiance to the concept and demonstrated that they are genuinely Secure by Design. Others who signed the pledge but failed our WAAP criteria still have work to do. We sincerely hope those who have failed will strive to improve their products, leading to better cybersecurity outcomes for the general good rather than crafting clever responses to justify their shortcomings. Here is the exhaustive list of companies that have pledged so far, courtesy of CISA (https://www.cisa.gov/securebydesign/pledge)

In our next round of public test reports, beginning with SASE (Secure Access Service Edge), we will continually refine those criteria and promote technology and vendors that meet these objective standards. The only way to achieve this is through rigorous testing via research programs like WAAP and SASE from Validation Organizations like SecureIQLab. Once vendors graduate under our criteria, they can rightfully use this achievement as marketing material to showcase to the world how serious and diligent they are about the “Secure by Design” and “Secure by Default” concepts. I have a term for that: objective marketing!

-SecureIQLab

[1] J.J Rosseau, Social Contract.

[2] Imre Lakatos on Hallmark of Science.

[3] Full list of 2024 WAAP test vendors. https://secureiqlab.com/wp-content/uploads/2024/05/WAAP-VENDOR-LIST-Q2-2024.pdf