The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a voluntary “Secure by Design Pledge” for enterprise software manufacturers, focusing on improving the security of their products and services. This pledge outlines seven key principles, forming the core of a robust secure-by-design ethos. Let’s explore these principles and how Imperva aligns with them. 

 Seven Key Principles of Secure by Design: 

1. Multi-Factor Authentication (MFA):  

The pledge encourages increased MFA usage across products, emphasizing phishing-resistant methods, with examples including default MFA enablement and “seat belt chimes” to nudge users. Imperva already implements robust MFA across its services.  

Customer security is our business. We support standards-based single sign-on (SSO) in the baseline version of each product and implement two-factor authentication (2FA) to enhance the security of your data and our network. By requiring two forms of identification, 2FA adds an extra layer of protection, making it much harder for unauthorized users to access sensitive information. This helps us ensure that your personal and business data remains secure, reducing the risk of security breaches and enhancing overall trust in our services. 

In addition to a user’s regular User ID and Password, 2FA employs a trusted third-party validation method to confirm their identity. For system level passwords and internal communication credentials – we have a strict policy against default passwords, as well as enforcement of a password rotation.  We actively encourage customers to use more advanced authentication methods such as key pairs, certificates and short-leave tokens where applicable. 

2. Default Passwords:  

The pledge aims to eliminate default passwords, replacing them with more secure authentication. Imperva already employs random, instance-unique passwords as well as requiring strong password creation upon installation. For system level passwords and internal communication credentials – we have a strict policy against default passwords, as well as enforcement of a password rotation.  We actively encourage customers to use more advanced authentication methods such as key pairs, certificates and short-leave tokens where applicable. 

3. Reducing Entire Classes of Vulnerability:  

This principle focuses on proactively reducing common vulnerability classes like SQL injection and cross-site scripting. At Imperva, we have a program to promote secure coding principles in our development organization and implement continuous code scans to ensure code quality and security. Potential vulnerabilities are resolved according to the severity and our vulnerability handling policies. Security aspects related to both application and infrastructure security are an integral part of change management and new code delivery.  Security acceptance tests include automation tool scans as well as manual penetration testing to ensure early discovery and handling of potential vulnerabilities. 

We consistently enforce the use of parametrized queries to prevent SQL injection attacks, and our web template frameworks come inclusive with built-in protection against cross-site scripting vulnerabilities.  We also use memory safe languages in all new products. 

4. Security Patches:  

The pledge emphasizes improving customer security patch installation rates. However, with CloudWAF and other SaaS products – the burden is not on our customers to patch.  We do follow a strict practice internally.

Vulnerability management is an integral part of maintaining a secure organization through limiting the ability to exploit vulnerabilities. New vulnerabilities are identified all the time. The Imperva InfoSec team has a program to assess, and address identified vulnerabilities. The priorities are set using the vulnerability rating (e.g. CVSS score) and the compensating controls in place that mitigate the risk. 

NOTE: Patching relies on two processes, the one being ongoing corporate system patching and vulnerability scanning to identify vulnerabilities that may have been missed.  

The scope of Imperva’s Vulnerability and Patch Management program includes both the corporate and the production environments as follows:  

• Laptops and office phones  

• Servers (physical and virtual)  

• Network devices  

• Systems and software (Third Party apps and DB etc.)  

• Production environments for our service such as Imperva Cloud WAF  

• Imperva Cloud WAF third party data center hosting sites (PoPs)  

5. Vulnerability Disclosure Policy (VDP):  

The pledge requires a public VDP authorizing public testing, committing to not pursuing legal action against good-faith reporters, and providing a clear reporting channel.  

We encourage security researchers to share the details of any suspected vulnerabilities with the Imperva Information Security Team by submitting a bug bounty form. Imperva then reviews the submission to determine if the finding is valid and has not been previously reported. At Imperva’s discretion, the submission may be eligible for monetary compensation. We require security researchers to include detailed information, including step-by-step instructions, that allows us to reproduce the vulnerability.  More info can be found here with our Responsible Disclosure Policy. 

6. CVEs:  

The pledge promotes transparency in vulnerability reporting, requiring accurate CWE and CPE fields in every CVE record and timely issuance for critical vulnerabilities. For a SaaS solution like CloudWAF, we find this to be less relevant as we conduct all necessary steps required to mitigate any CVEs before publishing releases.

7. Evidence of Intrusions:  

This principle focuses on enabling customers to gather evidence of intrusions.  

Imperva CWAF provides its customers with all of their security logs as well as access logs to track any traffic hitting the customer applications whether deemed malicious or not.  Additionally, we provide customers with full audit logs of any configuration change being made on our system including login. We provide different log retention timeframes depending on the customer package (but the base comes with 30 days retention at no extra cost). 

3rd Party Validation 

Security solutions, regardless of their deployment method, should not increase the attack surface of the environments that they are designed to protect. Additionally, privileges granted to security solutions should not be exploitable by threat actors. SecureIQLab has assessed the security of Imperva’s Cloud WAAP product itself and was tested against 11 vulnerability assessment techniques that are commonly used to assess that WAAP systems are built to reasonably protect against cyber-attacks as recommended by Cybersecurity and Infrastructure Security Agency (CISA).  

Imperva is proud to announce that we passed the WAAP Vulnerability Assessment with a score of 100%.  You can read more about their findings here. 

Imperva believes in its commitment to the CISA Secure by Design Pledge which further solidifies our reputation as a leader in cybersecurity. As we head into 2025 together, let’s all commit to making our world and the technology we use more secure by design. 

The post Imperva and the Secure by Design Pledge: A Commitment to Cybersecurity Excellence appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Michael Wright. Read the original post at: https://www.imperva.com/blog/imperva-and-the-secure-by-design-pledge-a-commitment-to-cybersecurity-excellence/