F5 Makes CISA Secure by Design Pledge, Aligning with Industry on Security Deliverables

Samir Sherif Thumbnail
Samir Sherif
Published July 08, 2024
Kara Sprague Thumbnail
Kara Sprague
Published July 08, 2024

As we shared in our latest F5 State of Application Strategy (SOAS) report, complexity is common and pervasive for today’s organizations. IT professionals are struggling to manage multicloud environments and complex tooling solutions, which has led to sprawling operational challenges. This current reality was reinforced in the conversations at our annual AppWorld conference and subsequent events we have held across the globe over the past several months. As organizations juggle these challenges, it is imperative they align their IT strategy with solutions built with strong security controls.

That is why we’re continuing to partner with the Cybersecurity & Infrastructure Security Agency (CISA)—and it’s why F5 has joined the more than 150 companies that have taken CISA’s Secure by Design pledge. Launched at the RSA Conference earlier this year, the pledge reinforces the work we are already doing as a security company to best serve our customers and partners.

What is the CISA Secure by Design pledge?

The CISA Secure by Design pledge is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). By participating in the pledge, software manufacturers are agreeing to make a good faith effort to work towards the seven goals listed below across their products within one year of signing the pledge: 

  • Multi-factor authentication (MFA): Measurably increase the use of multi-factor authentication. 
  • Default passwords: Show measurable progress towards reducing default passwords. 
  • Reducing entire classes of vulnerability: Achieve a significant reduction in the prevalence of one or more vulnerability classes. 
  • Security patches: Measurably increase the installation of security patches by customers. 
  • Vulnerability disclosure policy: Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
  • Common Vulnerabilities and Exposures (CVEs): Display transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for products—and issue CVEs in a timely manner, especially for critical or high-impact vulnerabilities. 
  • Evidence of intrusions: Achieve a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting products.

How the pledge aligns with F5’s product and services strategy

Our portfolio is designed to solve our customers’ most difficult hybrid and multicloud pain points. That falls flat if we do not deliver on security. The CISA Secure by Design pledge reinforces a level of security that our customers and partners should already expect. After all, don’t we have enough to deal with in the current threat landscape? 

To learn more, read the full CISA Secure by Design pledge.