Introduction
Secure By Design is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome to do so. By participating in the pledge, software manufacturers such as Imperva are pledging to make a good-faith effort to work towards the goals listed below over the following year.
The pledge is structured with seven key principles and each principle has the core criteria which manufacturers are pledging to work towards. This pledge seeks to complement and build on existing software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry best practices. CISA (The Cybersecurity and Infrastructure Security Agency) continues to support adoption of complementary measures that advance a secure by design posture.
You can find our signature here
Imperva believes in its commitment to the CISA Secure by Design Pledge which further solidifies our reputation as a leader in cybersecurity.
Seven Key Principles of Secure by Design:
1. Multi-Factor Authentication (MFA):
Demonstrates actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
– Imperva supports MFA for users to access our MY console
2. Default Passwords:
Demonstrates measurable progress towards reducing default passwords across the manufacturers’ products.
– Imperva currently enforces password requirements
3. Reducing Entire Classes of Vulnerability:
Demonstrates actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
– All APIs to CWAF are protected by WAF
– APIs and Bot Protection is used to eliminate SQL injection attacks
– SecureIQ Lab testing to validate performance with a 100% pass rate (Read Report here)
4. Security Patches:
Demonstrates actions taken to measurably increase the installation of security patches by customers.
– As a SaaS product, CWAF is applying patches so that the burden is not on customers to patch.
5. Vulnerability Disclosure Policy (VDP):
Publishes a vulnerability disclosure policy (VDP)
– Imperva adheres to a Responsible Disclosure Program and Bug Bounty Submission
6. CVEs:
Demonstrates transparency in vulnerability reporting
– Imperva conducts all necessary steps required to mitigate CVEs before publishing
7. Evidence of Intrusions:
Demonstrates a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
– Imperva CWAF provides its customers with all of their security logs as well as access logs to track any traffic hitting the customer applications whether deemed malicious or not. Additionally, we provide customers with full audit logs of any configuration change being made on our system including login. We provide different log retention timeframes depending on the customer package (but the base comes with 30 days retention at no extra cost).
– Consuming all the logs can be done via our GUI, APIs or via SIEM
3rd Party Validation
Security solutions, regardless of their deployment method, should not increase the attack surface of the environments that they are designed to protect. Additionally, privileges granted to security solutions should not be exploitable by threat actors. SecureIQLab has assessed the security of Imperva’s Cloud WAAP product itself and was tested against 11 vulnerability assessment techniques that are commonly used to assess that WAAP systems are built to reasonably protect against cyber-attacks as recommended by Cybersecurity and Infrastructure Security Agency (CISA).
Imperva is proud to announce that we passed the WAAP Vulnerability Assessment with a score of 100%. You can read more about their findings here.
