At Rubrik, we take software security extremely seriously. That's why we're proud to announce that Rubrik has adopted the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge. This voluntary pledge focuses on enterprise software products and services, and by taking it, we're committing to make a good-faith effort to work towards seven key goals over the next year to further enhance the security of our offerings.
The Secure by Design Pledge aligns with our core principles and dedication to delivering secure and resilient data protection solutions to our customers. The seven goals outlined in the pledge are:
1. Increasing the use of multi-factor authentication across products
2. Reducing default passwords
3. Reducing entire classes of vulnerabilities
4. Increasing the installation of security patches by customers
5. Publishing a vulnerability disclosure policy
6. Demonstrating transparency in vulnerability reporting
7. Increasing the ability for customers to gather evidence of cybersecurity intrusions
These goals represent industry best practices in areas like authentication, vulnerability management, coordinated vulnerability disclosure, and enabling better detection and response capabilities for customers. By adopting the pledge, we're doubling down on our efforts in these critical areas of software security.
So how do we meet these commitments today and how are we working to continue to improve?
Multi-Factor Authentication: For over a year, all Rubrik system deployments have come with a default configuration mandating multi-factor authentication (MFA) that customers cannot disable. Moving forward we’ll continue introducing new features to make MFA even easier to implement for our customers.
Reducing Default Passwords: Rubrik does not use default passwords in most of our products and requires customers to configure long complex passwords for all accounts. In areas where default passwords are still required for technical reasons, customers are encouraged to change those passwords as part of their Rubrik onboarding process. There are plans to phase out these remaining items as part of our commitment to high security standards and this pledge.
Vulnerability Reduction: Our engineering teams are focused on preventing entire classes of vulnerabilities like SQL injection and memory safety issues through techniques like parameterized queries and a transition to memory-safe languages.
Increasing the installation of security patches by customers: When important security patches are released, Rubrik employs a combination of in-product notifications and targeted direct email campaigns to inform customers about issues and encourage upgrades.
Coordinated Vulnerability Disclosure: Rubrik publishes our vulnerability disclosure policy that authorizes security research on our products and provides a clear process for reporting and disclosing vulnerabilities.
Transparency: We're enriching our CVE reporting with accurate weakness and platform details to increase transparency around vulnerabilities in our products.
Evidence Gathering: We're expanding our auditing and logging capabilities to better enable our customers to detect and investigate potential security incidents.
The Secure by Design Pledge complements our existing secure development practices, but taking this public commitment represents an important milestone. It reinforces our focus on delivering solutions that are secure by design and our accountability to our customers when it comes to the security of our products.
Over the next year, we'll be sharing regular updates on our progress towards these goals. We're excited to be part of this industry-wide effort to raise the bar for software security. We understand that the landscape of cybersecurity is ever-evolving, and we are dedicated to adapting and enhancing our security measures to meet and exceed industry standards. Our commitment to these principles is unwavering, and we look forward to working collaboratively with our partners and peers to foster a more secure digital environment for all.