As a cybersecurity leader, Tenable was proud to be one of the original signatories of CISA’s “Secure by Design" pledge earlier this year. Our embrace of this pledge underscores our commitment to security-first principles and reaffirms our dedication to shipping robust, secure products that our users can trust. Read on to learn how we’re standing behind our pledge.
In May, Tenable was part of the first wave of supporters of the “Secure by Design” pledge from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), joining 67 other leading software makers. We decided to sign this pledge enthusiastically and with a deep sense of commitment, as we believe this CISA initiative will help strengthen the global digital ecosystem against cyberthreats. In this blog post, we delve deeper into how we’re embracing secure-by-design practices in our products.
Multi-factor authentication (MFA)
MFA is the first principle on CISA’s pledge. Specifically, signatories commit to “measurably increase” their use of MFA across their products within one year of signing the pledge. Here’s where Tenable stands with regards to MFA.
MFA is not only a good-to-have security measure, but it’s also a critical component of a modern security strategy, enhancing identity protection and making it significantly more difficult for attackers to succeed.
Research has consistently shown that any form of MFA provides substantial protection against identity compromise. However, adopting more secure forms of MFA, such as phishing-resistant MFA, further enhances protections. These methods, including hardware tokens and biometric verification, offer superior protection against sophisticated targeted attacks.
Organizations should prioritize increasing MFA enrollment among their users. Special attention should be given to administrators and high-privilege users, ensuring they utilize the most secure MFA methods available. This approach helps mitigate risks associated with critical access points and protects sensitive information.
The Tenable One Exposure Management Platform supports SMS for MFA and also allows customers to bring their own authenticator app. Additionally, customers can enforce MFA through their identity provider, which streamlines user management, reduces authentication friction, and supports scalability as organizations grow. By empowering customers with control over their MFA settings, Tenable builds trust and provides a more secure, efficient, and user-friendly platform.
Pledge:
Tenable is committed to enhancing the security of our platform. Recognizing that MFA is the greatest defense against password-based attacks such as credential stuffing and password theft, we pledge to phase out SMS-based MFA, which, while useful, does not offer the highest level of protection.
We will require MFA by default for all our customers, emphasizing the adoption of more secure, phishing-resistant MFA methods. By increasing MFA enrollment across the board, we aim to provide an even more secure environment for our users. Our commitment is to ensure that our platform remains robust against evolving threats and provides the best possible security for our customers.
Default passwords
The CISA pledge addresses default passwords next, calling on backers to reduce their use of default passwords across their products within one year of signing the pledge.
We’re happy to say that our Tenable One Exposure Management Platform does not provide default passwords for users. Default passwords, as defined by CISA, are shared passwords preset across various products. These passwords are a significant security risk, as they can be easily exploited in attacks, especially on internet-facing assets. Reducing the number of default passwords in use is crucial to minimizing these vulnerabilities.
To mitigate the risk posed by default passwords, they should be replaced with more secure authentication mechanisms. Examples include unique, strong passwords for each user or non-human identity. Ideally, these should be complemented by MFA, which provides an additional layer of security as discussed above.
Additionally, we have strong password requirements for our SaaS platform. Specifically, passwords must be at least 12 characters long and contain the following:
- An uppercase letter
- A lowercase letter
- A number
- A special character
Pledge:
We are dedicated to advancing the security of our platform by addressing the vulnerabilities associated with passwords, as highlighted by CISA. We will introduce password expiry policies to ensure that passwords are regularly updated, reducing the window of opportunity for potential attackers. This practice will ensure that stale credentials are routinely refreshed, enhancing overall security.
In addition, we are committed to implementing passkeys by the end of 2025. Passkeys offer a robust and phishing-resistant form of authentication, utilizing cryptographic methods to ensure that only authorized users can access their accounts. This shift represents a significant enhancement of our password security practices, ensuring that our platform remains resilient against evolving cyber threats.
Reducing entire classes of vulnerability
The CISA pledge continues by addressing the topic of vulnerability classes, and the importance for software makers to proactively reduce the prevalence of one or more vulnerability classes from their products within a year of signing the pledge.
The vast majority of exploited vulnerabilities today stem from preventable issues, such as SQL injection, cross-site scripting (XSS), and memory safety flaws. Addressing these vulnerabilities at scale is crucial for enhancing the security of software products.
Tenable is committed to mitigating these risks by leveraging secure-by-design principles throughout the Tenable One platform.
None of the services in the Tenable One platform are developed using memory unsafe languages. Our platform’s backend is built in Kotlin, and the frontend is implemented in TypeScript – both modern, memory-safe languages. This inherently helps avoid many memory safety vulnerabilities, like buffer overflows and memory leaks, thus contributing to a more secure foundation for our platform.
Pledge:
By continuing to develop our platform with a focus on memory-safe languages and secure coding practices, we pledge to reduce the prevalence of exploitable vulnerabilities, enhancing the security and trustworthiness of our products.
Security patches
Next, the CISA pledge calls on signatories to “measurably increase” the installation of security patches by customers.
It is essential for software manufacturers to take full responsibility for their customers’ security outcomes, even after the products are shipped. This means that our obligation to ensure security doesn’t end at deployment. Instead, we continue to safeguard our users’ environments throughout the lifecycle of the platform.
Customers automatically receive security updates for all Tenable SaaS products without any action needed by the customer. We have application security tools to detect supply chain vulnerabilities and leaked secrets. These tools are run as gates in CI/CD pipelines.
Tenable also leverages golden image templates for our server infrastructure. These templates are generated weekly and are applied to all newly created servers until the next template is available. Each template is configured to run daily security updates to minimize vulnerabilities. Additionally, each server has a 7-day time-to-live (TTL) to prevent the accumulation of kernel-level vulnerabilities.
As a cybersecurity leader, we go beyond securing the infrastructure. We secure the entire supply chain by running security tools as a blocking gate in CI/CD pipelines. Each build is required to meet our security threshold in the following tools:
- Static analysis: We scan the entire codebase for security weaknesses.
- Secret scanning: We scan every pull request to mitigate any potential secret leak.
- Software composition analysis: We scan open-source dependencies to ensure we are keeping software up-to-date while managing risk.
- Container scanning: We scan each container image for vulnerabilities. We also go further by signing images we build before pushing them to our artifact registry, and we verify the image before pulling it into the runtime environment.
- Dynamic application security testing (DAST): The Tenable One platform regularly undergoes web application scanning to detect any potential weaknesses.
Pledge:
We recognize the critical importance of timely security patches. We will continue to provide timely security patches to better support the platform. By prioritizing the prompt release of security patches, we aim to make security a seamless experience for our customers, enhancing protection and confidence in our platform. Our dedication to security does not end at deployment; it is an ongoing commitment to our users’ safety and peace of mind.
Vulnerability disclosure policy
The “Secure by Design Pledge” calls on software manufacturers to publish a vulnerability disclosure policy (VDP) that provides a way for the public to disclose vulnerabilities.
Since our very beginning, Tenable has always maintained a vulnerability disclosure policy. We also leverage a public HackerOne VDP to continuously hunt for defects in our products. We reaffirm our commitment to not pursue legal action against individuals who follow our VDP in good faith. Our VDP will continue to provide clear channels for reporting vulnerabilities, ensuring prompt and effective responses.
Additionally, we have an available security.txt on our website and Tenable Trust to be as transparent as we can about vulnerability management and software security within our products.
Pledge:
Tenable will continue its vulnerability disclosure program to ensure customers have a way to disclose any vulnerabilities discovered in the Tenable One platform.
CVEs
Tenable is committed to demonstrating transparency in our vulnerability reporting practices. Tenable has historically provided security advisories for any defects found in our products. We are transparent about timelines and about giving credit for responsible disclosure.
Incorporating accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) details enhances the clarity and usefulness of our vulnerability reports. CWEs help categorize the type of vulnerabilities, while CPEs provide specifics about the affected software or hardware. We are committed to issuing CVEs promptly whether they are discovered by us or by third parties. This is crucial for enabling our customers to take immediate action to protect their environment.
By adhering to these practices, we reinforce our commitment to security and transparency, helping our customers stay informed against evolving threats.
Pledge:
Tenable will continue to demonstrate transparency while working with all parties in reporting vulnerabilities in our products.
We pledge to publish accurate CWE and CPE fields in every CVE record for our products.
We also plan to implement CVSS v4.0 scoring for our security advisories where available, with a fallback to v. 3.1. This enrichment of our CVE records will provide our customers with a comprehensive understanding of the severity and potential impact of vulnerabilities.
Evidence of intrusions
Lastly, the CISA pledge calls on signatories to show a “measurable increase” in their customers’ ability to gather evidence of cybersecurity intrusions in their products.
Ensuring that organizations can detect and understand cybersecurity incidents is crucial for maintaining a robust security program. This capability enables timely responses to intrusions, minimizing potential damage and facilitating effective remediation.
Software manufacturers can empower their customers by providing tools and artifacts, such as audit logs that allow them to gather evidence of intrusions. Audit logs are essential for tracking activities and identifying unusual behaviors that may indicate a security breach.
Tenable provides activity logs inside of the Tenable One platform since its launch. Unlike some SaaS companies, these activity logs are available to customers at no extra charge. These logs include Actor, Action, Target, Description, and Date/Time. These logs can be exported to a CSV or JSON file and are available in the UI and via the API.
Providing these tools aligns with the Secure by Design principle, which emphasizes taking ownership of customers’ security outcomes. This proactive approach ensures that security is integrated into the core of the product. It reflects Tenable’s commitment to helping customers achieve and maintain high security standards.
Additionally the Tenable Trust page provides status on platform availability, major announcements, and information on security assurances in our platform.
Pledge:
Tenable is committed to enhancing the security and transparency of our platform. In October, Tenable released an updated add-on for Splunk to empower our customers in detecting and understanding cybersecurity incidents. Through continuous customer feedback, we pledge to expand our Security Information and Event Management (SIEM) integration capabilities. This enables customers to monitor audit logs using their in-house SIEM solutions, providing them with comprehensive visibility and timely insights into potential solutions.
In closing, we want to express our appreciation to CISA Director Jen Easterly and CISA Senior Technical Advisors Bob Lord and Jack Cable for their leadership in the creation of the "Secure by Design" pledge program.