Sophos Gives Update on its Commitment to CISA’s Secure by Design Initiative
Technology solutions are integrated into almost every aspect of our personal and business endeavors, making it imperative that all software – regardless of its purpose – is developed with cybersecurity as a fundamental requirement. Without integrating security as a primary element, achieving a reliable digital ecosystem is not feasible.
To expedite the adoption of a security-focused approach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced a Secure by Design commitment on May 8, 2024. Sophos takes pride in being among the pioneer organizations to pledge their support, which concentrates on seven fundamental aspects of technology and product security:
- Two-factor authentication
- Pre-set passwords
- Minimizing entire groups of vulnerabilities
- Security upgrades
- Policy for disclosing vulnerabilities
- Common Vulnerabilities and Exposures (CVEs)
- Proof of breaches
Submitting this pledge means:
- Dedicating to the principles of secure design;
- Committing to transparency in cybersecurity and continuous enhancement;
- Acknowledging that all providers must assume full accountability for ensuring the security and authenticity of the technologies they conceive, construct, and market.
We are glad to publicly unveil our current status and commitments related to each of the seven pillars of the Secure by Design framework and commit to giving regular updates on our advancements towards them.
Harmonized with the Sophos ideology
As the CISO, I lead a diverse team comprising experts in security architecture and application security who collaborate closely with our engineering units to develop and construct our solutions.
We collaborate to guarantee the ongoing, continually evolving integrity of our solutions for future clients and the 600,000 organizations that currently depend on them.
We grasp that trust must be earned and validated, which is why transparency is a longstanding fundamental aspect of Sophos’s ideology.
Cybersecurity poses challenges due to the intrinsic nature of what it requires to defend against active adversaries, and we understand that genuine transparency involves divulging both areas for improvement as well as achievements. In this piece, and in forthcoming ones, we admit that within the industry and our organization, there are tasks to address. This is not merely an initiative that CISA has initiated – it’s a crucial mode of thinking and framework that should be ingrained in the design and structure of security solutions. We welcome constructive input on how we are tackling the seven pillars.
Our Secure by Design commitments
Two-factor authentication (MFA)
Sophos Central, our unified security dashboard, mandates MFA by default. Customers can also deploy their MFA through federated validation. Both selections are provided at zero extra expense.
A high percentage of our products are supervised exclusively through Sophos Central. While our network products allow direct supervision, administrative interfaces also back MFA, yet we urge customers to supervise devices via Sophos Central to avoid unnecessary exposure of administrative interfaces.
Furthermore, our records reveal that clients are at the highest risk when they expose administrative interfaces to the web. On behalf of our customers, we have undertaken a persistent effort to decrease this vulnerability. For instance, we regularly time out unused internet-facing administrative portals on our Sophos Firewall platform. In the past 18 months, this has lowered internet-exposed administrative interfaces among our customer base by 21.5%, and we aim to enhance this further.
Pledge:
Within the next year, we vow to launch passkey support in Sophos Central and declare adoption statistics of this more robust MFA mechanism.
Pre-set passwords
Sophos Firewall ensures secure installations from the outset, necessitating users to devise strong passwords during device configuration. Without fulfilling this requirement, configuring and utilizing the network devices for their intended purpose is impracticable. Additionally, to safeguard the secrets and keys stored on the device, administrators must present a secondary credential which is utilized to encrypt sensitive data on Sophos Firewall.
Utilizing the management features in Sophos Central, comprehensive deployments of Sophos Firewall are now achievable using the TPM-supported Zero Touch functionality.
Pledge:
We commit to persistently disallow default credentials in all current and future products and services.
Minimizing entire groups of vulnerabilities
Sophos extensively employs modern memory-protected languages and frameworks structured to systematically prevent prevalent OWASP Top 10 flaws such as XSS and SQLi. Sophos Central is exclusively scripted in memory-protected languages.
For every crucial CVE recognized in Sophos products, we target to systematically eradicate the root issue instead of simply addressing the identified vulnerability. For instance, in 2020 when Sophos revealed a CVE due to a legacy component that inadequately parameterized SQL queries, Sophos initiated a comprehensive project to detect and eliminate all legacy non-parameterized SQL queries throughout the entire product portfolio.
In SFOS v20, Sophos revamped the Sophos Firewall VPN provisioning portal, a web-facing security-critical service, in Go to enhance memory security and shield against vulnerabilities stemming from buffer overflows. Sophos launched SFOS v20 in November 2023.
Pledge:
In SFOS version v21, we commit to containerize key services correlated to Central management to integrate extra trust options and workload isolation. Furthermore, SFOS v22 will feature a broad architecture redesign, which will better encapsulate the Sophos Firewall control plane, further lowering the probability and impact of RCE vulnerabilities.
Security updates
Clients automatically acquire security updates for all Sophos SaaS services, including Sophos Central, with no manual intervention required. Sophos Firewall and Sophos Endpoint also automatically receive and install security patches once they are published as part of their default settings.
While Sophos Firewall users can manually deactivate this feature if necessary, 99.26% of our clients maintain this feature activated, demonstrating their trust in our thorough release testing.
Pledge:
Deploying the most recent firewall firmware version offers added security merits beyond receiving security hotfixes by default. Bearing this in mind, we commit to launching a feature by September 2025 that empowers customers to automatically schedule Sophos Firewall firmware updates.
Policy for disclosing vulnerabilities
We believe Sophos administers an industry-leading responsible disclosure program and has been fortunate to gain from the assistance of security researchers for many years. Since 2018, we have offered rewards for over 1,200 vulnerabilities and dispensed almost $500,000 to the community. Our responsible disclosure policy includes safe harbor provisions to ensure researchers can engage with us without legal repercussions. We compensate up to $50,000 for vulnerabilities identified in Sophos products and regularly escalate payouts to support our researchers.
For further insights on our Bug Bounty program, view Sophos CISO, Ross McKerchar, and Bugcrowd CEO, Dave Gerry, deliberate on the Sophos program.
Pledge :
We commit that within a year, Sophos will:
- Enhance transparency and contribute to collective industry knowledge by posting blog entries that review our discoveries and insights from our vulnerability disclosure program.
- Boost the maximum reward offered to security researchers.
Common Vulnerabilities and Exposures (CVEs)
Security-relevant defects are a high priority for Sophos and are consistently addressed. Robust processes are in place that allow us to publish CVEs in on-premises products upon identification of a vulnerability by an external source (e.g. security researchers, red team exercises, etc.). Nevertheless, we have detected historical occurrences where internal findings were not allocated a CVE.
We do not currently issue CVEs for our hosted SaaS products. We consider this a norm in the industry, but we acknowledge and are partaking in the ongoing industry dialogue on this topic.
Pledge :
We commit to expanding our internal processes to systematically release external CVEs for all identified internal vulnerabilities classified as high or critical in our product catalog.
Proof of breaches
Sophos products and services provide logging and auditing features at no additional cost, empowering clients to undertake incident response.
Pledge:
We pledge to introduce additional integration capabilities in Sophos Central to simplify the import of audit logs into third-party systems, with a target implementation before July 2025.
Upcoming initiatives
As we advance on our journey, we look forward to sharing frequent updates on our commitments. Stay tuned for forthcoming developments.
About Author
