Commencement
Trend felt enthusiastic about endorsing CISA’s Secure by Design pledge in the beginning of 2024, given our exclusive dedication to cybersecurity for more than 35 years. Ensuring the security of our products is equally crucial as ensuring our customers’ protection against adversaries. Being a frontrunner in cybersecurity, we have been pioneering and producing products in various domains, necessitating our research and development teams to consistently confront adversaries targeting our products for vulnerabilities and security flaws. Consequently, we possess extensive expertise in incorporating safeguards within our products. Below outlines our progress so far in meeting the outlined objectives of the pledge. It is important to note that this is an ongoing endeavor.
|
Objective |
Status as of December 2024 |
|
Encourage Adoption of Multi-Factor Authentication |
On Target |
|
Minimize utilization of default passwords |
Accomplished |
|
Decrease prevalence of common vulnerability categories |
On Target |
|
Security Updates |
On Target |
|
Release a Vulnerability Disclosure Policy |
Accomplished |
|
Common Vulnerabilities (CVEs) |
Accomplished |
|
Evidence of Breaches |
Accomplished |
1. Encourage Adoption of Multi-Factor Authentication
- “Within a year of pledging, demonstrate tangible efforts to significantly enhance the integration of multi-factor authentication (MFA) across the company’s products.”
Progression
Given the prevalence of credential theft in numerous attacks by adversaries, MFA has proven to be an effective security measure against this threat. Consequently, Trend has been incorporating an MFA login alternative in our platform, Trend Vision One™ for quite some time now. It is presently accessible on an opt-in basis, and we intend to make it the default option in 2025.
2. Reduce the use of default passwords
- “Within a year of pledging, demonstrate significant progress towards reducing default password usage across the company’s products.”
Progression
All Trend products necessitate the creation of a unique, robust password during the initial setup.
3. Diminish common vulnerability categories
- “Within a year of pledging, demonstrate initiatives towards effecting a substantial and measurable decline in the occurrence of one or more vulnerability types across the company’s products.”
Progression
Trend has been mitigating numerous vulnerability types susceptible to exploitation by adversaries in cyberattacks. The Zero Day Initiative (ZDI) by Trend Micro stands as the foremost vendor-independent bug bounty program globally, divulging bugs impacting various vendors, operating systems, and applications for years. With over $25M disbursed for bugs and more than 13,000 advisories disclosed since 2005, this program has been pivotal in safeguarding against zero-day threats by aiding vendors in disclosing and patching vulnerabilities. ZDI also offers bounties for Trend products, providing an additional avenue for identifying bugs beyond our internal programs. Over the past nine years, we have witnessed submissions across various vulnerability classifications that we aim to decrease in prevalence.
|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
|
|
Improper Link Resolution Before File Access (‘Link Following’) |
|
|
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
We aspire to diminish the occurrence of these classifications by 50% by 2025.
4. Enhance customer patching practices
- “Within a year of pledging, demonstrate concerted activities to noticeably elevate the installation of security patches by customers.”
Progression
One of the most significant technological advancements over the years has been the transition to Software as a Service (SaaS), enabling vendors to patch products in the cloud instead of necessitating customers to patch on-premise products. This has considerably enhanced the mean-time-to-patch. Trend has evolved many of its products to be SaaS-based over time, yet a considerable number of customers still utilize our on-premise products. In numerous instances, this is imperative due to regulatory requirements, sovereignty apprehensions, or privacy concerns. We continue to enhance the patching experience for our on-premise customers by offering various alternatives:
- Automated patch notifications
- Automated patch downloads
- Staggered patch deployment to allow customers to select systems receiving updates and their timing
- Capability to designate the update version a system can utilize (e.g., p, p-1, p-2, and so forth)
Moreover, with the support of our ZDI and vulnerability research teams, we are now furnishing customers using our Vision One platform with detailed information about disclosed vulnerabilities affecting them. By offering more context and risk assessments of each bug, customers can make well-informed decisions on how to manage or virtually patch vulnerabilities. This will substantially benefit their patch management endeavors, allowing them to prioritize high-risk vulnerabilities.
We are committed to continually enhancing this domain and providing alternatives. While many of our longstanding on-premise customers are recognizing the value of SaaS offerings, we acknowledge that many will persist in utilizing our on-premise solutions. Thus, we will persist in enhancing their update processes and enlighten them on the advantages of prompt patching.
5. Disseminate a Vulnerability Disclosure Policy
- “Within a year of pledging, publish a vulnerability disclosure policy (VDP) endorsing public testing of the manufacturer’s products, pledging against legal action towards good-faith vulnerability reporters, establishing an accessible channel for vulnerability reporting, and allowing public vulnerability disclosure following coordinated vulnerability disclosure best practices and global standards.”
Progression
Product security has always been paramount for Trend Micro, evident through our public vulnerability disclosure policy dating back to 2017, coinciding with Trend becoming an official CVE Numbering Authority (CNA) that year. This policy receives regular updates as necessary, with the latest iteration reflecting our commitments to the pledge available at www.trendmicro.com/vulnerability:
- We have included explicit language stating our general policy not to pursue or recommend legal actions against responsible security researchers or other parties reporting vulnerabilities to us in good faith. We firmly believe that a robust research community ultimately aids organizations in outmaneuvering malicious actors.
- We have publicly acknowledged our status as one of the original signatories to the pledge, reinforcing our overall commitment.
Below are public organizations supported and affiliated with Trend:
About Author
