Tech and security companies pledge to adopt 'secure-by-design' methodologies in their products and services.
The secure-by-design pledge, signed by 68 technology giants such as Microsoft and Google, aims to integrate proactive cybersecurity practices into the software development lifecycle. This commitment, announced by the Cybersecurity and Infrastructure Security Agency (CISA), is a significant step towards reducing vulnerabilities in enterprise software and enhancing national security.
However, a closer look at the current status of the pledge's implementation reveals some uncertainties. Concrete data on the overall compliance rate or the full status of implementation across signatories is not explicitly reported, leaving the public without a precise understanding of how thoroughly these companies, including Microsoft and Google, have adopted the pledge's measures.
The pledge encourages the use of Memory Safe Languages (MSLs), multifactor authentication, and the reduction of default passwords. It also emphasises transparency in vulnerability disclosures and the sharing of information about security incidents affecting products.
Despite the pledge, vulnerabilities like SQL injection continue to be exploited, as demonstrated by a recent Fortinet vulnerability. This incident underscores the challenges persisting even among pledged companies, highlighting the need for continued vigilance and improvement in secure software development practices.
Bret Arsenault, corporate VP and chief cybersecurity advisor at Microsoft, has stated that the pledge aligns with many of the commitments the company recently made as part of its Secure Future Initiative. The companies have agreed to implement these measures over the next 12 months.
The secure-by-design pledge is part of a broader cybersecurity initiative by CISA, which promotes secure-by-design practices. This initiative encourages software makers and other technology companies to build security into their products during the design and development stages.
Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, with a focus on determining whether they are potential targets. The pledge's voluntary nature, coupled with CISA's lack of an enforcement mechanism, raises questions about the pledge's willingness to follow through on commitments.
As we move forward, it is crucial to monitor the progress and impact of the secure-by-design pledge. While the pledge represents an important industry commitment to improve software security, publicly available information does not provide a precise compliance rate or detailed status of how thoroughly signatories have adopted its measures as of August 2025.
The secure-by-design pledge, signed by technology giants like Microsoft and Google, encourages the use of proactive cybersecurity practices and the reduction of vulnerabilities in enterprise software through measures such as Memory Safe Languages, multifactor authentication, and transparency in vulnerability disclosures. However, despite these commitments, persistent vulnerabilities like SQL injection continue to be exploited, raising questions about the pledge's effectiveness and willingness to follow through on commitments, especially without an enforcement mechanism.
