Resources

/

Podcasts

/

Secure IT

CISA Secure by Design: A Pledge to Secure Our World

Episode 06   Published May 16, 2024 17 minute watch

Secure IT

The Secure IT Podcast, hosted by Automox CISO Jason Kikta, is your one-stop shop for all things IT and cybersecurity. Jason knows good security comes from good IT. Step into a CISO’s shoes and trek through the world of technology and cyber defense to stay ahead of potential threats. Each episode is packed with the latest trends, tips, and expert advice.

Jason Kikta is the CTO of Automox

Host

Jason Kikta

RECENT EPISODES

Best-In-Class Remote Control

CISA's BOD 26-04 Directive Explained

[Nothing Weaponized, Everything Exposed]

[AI Hits the Hat Trick], Ep. 32

View all episodes

Available wherever you get your podcasts

Youtube

Apple Podcasts

Spotify

Overcast

Pocket Casts

Amazon Music

Castro

Goodpods

Castbox

Podcast Addict

Player FM

Deezer

Summary

Automox CISO Jason Kikta recaps RSA Conference 2024 and the announcement he traveled there to see. CISA's Secure by Design pledge drew 68 companies, including Automox, who voluntarily signed it. The pledge matters less for any single technical control and more for introducing accountability into corporate security culture. Signers tie their reputation to making measurable progress over the following year. Kikta covers each commitment: multi-factor authentication, eliminating default passwords, reducing whole classes of vulnerability, security patching, vulnerability disclosure, CVE transparency, and giving customers evidence of intrusions. Most of these were already baked into how Automox operates.

Takeaways

  1. CISA's Secure by Design pledge launched at RSA Conference 2024 with 68 companies, including Automox, voluntarily committing to make measurable progress on seven security goals within a year.

  2. The pledge's real value is accountability. Signers tie their public reputation to the commitments, which Jason Kikta expects to be a precursor to future regulation or law.

  3. Many vendors charge a premium for MFA and SSO, treating cornerstone security controls as enterprise upsells. These controls should be defaults. Kikta calls that practice close to unethical.

  4. The Change Healthcare and UnitedHealth breach started with single-factor Citrix exposed to the internet, which let an attacker in. It shows how passwords alone get compromised through credential stuffing or reuse.

  5. Reducing entire classes of vulnerability is the heaviest lift in the pledge. It covers parameterized queries against SQL injection, a memory-safe roadmap, secure defaults for developers, and web template frameworks that block cross-site scripting.

Topics

Vulnerability Remediation

See for yourself how policy-driven IT Automation saves time and eliminates risk.

Dive deeper into this topic

CISA's BOD 26-04 Directive Explained

Podcast

CISA BOD 26-04 sets a 3-day patch deadline for federal agencies. Here's what changed, why it will reach your organization, and what to do before it does
The Three-Day Clock: What CISA's New Patching...

CISA BOD 26-04 sets a 3-day patch deadline for federal agencies....

Dirty Frag: What You Need to Know and How to...

Dirty Frag is an unpatched Linux LPE chain affecting esp4, esp6,...

The Math of Modern Attacks

Podcast