February 9, 2025

With know-how options embedded throughout nearly each component of our private and enterprise actions, it’s important that every one software program – no matter its perform – is designed with cybersecurity as a core requirement. With out embedding safety as a primary precept, we can’t obtain the purpose of a reliable digital ecosystem.

To speed up the adoption of a security-led strategy, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a Secure by Design pledge on Might 8, 2024. Sophos is proud to face among the many very first organizations to decide to the pledge, which focuses on seven core pillars of know-how and product safety:

  1. Multi-factor authentication
  2. Default passwords
  3. Lowering total courses of vulnerability
  4. Safety patches
  5. Vulnerability disclosure coverage
  6. CVEs
  7. Proof of intrusions

Signing this pledge is:

  1. A dedication to the ideas of safe design;
  2. A dedication to cybersecurity transparency and continuous enchancment;
  3. A recognition that every one distributors should take full duty for guaranteeing the safety and integrity of the applied sciences they design, construct, and promote.

We’re happy to publicly share our present state and pledges in opposition to every of the seven pillars of the Safe by Design framework and decide to offering common updates on our progress in the direction of them.

Aligned to the Sophos philosophy

As CISO, I lead a cross-functional staff that features specialists in safety structure and software safety who work intently with our engineering groups to design and construct our options.

We work collectively to make sure the continued, always evolving integrity of our options for future clients and the 600,000 organizations that already depend on them.

We perceive that belief have to be earned and verified, which is why transparency is a longstanding cornerstone of Sophos’s philosophy.

Cybersecurity is difficult as a result of inherent nature of what it takes to defend in opposition to lively attackers, and we acknowledge that true transparency means sharing each areas for growth in addition to successes. On this article, and in others to return, we acknowledge that throughout the {industry} and inside our personal group there’s work to do. This isn’t a one and executed initiative that CISA has created – it’s a much-needed mind-set and framework that ought to be constructed into the design and structure of safety options. We welcome constructive suggestions on how we’re addressing the seven pillars.

Our Safe by Design pledges

Multi-factor authentication (MFA)

Sophos Central, our unified safety console, enforces MFA by default. Clients can even make the most of their very own MFA by way of federated authentication. Each choices can be found at no extra price.

Nearly all of our merchandise are managed solely by Sophos Central. The place our community merchandise enable direct administration, administrative interfaces additionally help MFA, however we strongly encourage clients to handle gadgets by way of Sophos Central to keep away from pointless publicity of administration interfaces.

Moreover, our knowledge identifies that clients are most in danger once they expose administration interfaces to the web. On behalf of our clients, we now have undertaken a sustained effort to cut back this publicity. For instance, we actively trip unused internet-facing administration portals on our Sophos Firewall platform. Over the previous 18 months, this has lowered internet-exposed administrative interfaces throughout our buyer base by 21.5%, and we intention to enhance on this additional.

Pledge:

Over the following 12 months, we pledge to launch passkey help in Sophos Central and publish adoption statistics of this stronger MFA mechanism

Default passwords

Sophos Firewall ensures secure deployments from the primary boot, requiring customers to create robust passwords on machine setup. With out finishing this step, configuring and utilizing the community gadgets for his or her meant objective is unimaginable. To additional shield the secrets and techniques and keys saved on the machine, directors should present a secondary credential which is used to encrypt delicate knowledge on Sophos Firewall.

Leveraging the administration capabilities in Sophos Central, full deployments of Sophos Firewall at the moment are attainable utilizing the TPM-backed Zero Contact performance.

Pledge:

We pledge to proceed to disallow default credentials in all present and future services and products.

Lowering total courses of vulnerability

Sophos makes in depth use of contemporary memory-safe languages and frameworks designed to systematically forestall frequent OWASP Prime 10 bugs akin to XSS and SQLi. Sophos Central is written solely in reminiscence secure languages.

For all crucial CVEs recognized in Sophos merchandise, we intention to systematically get rid of the underlying subject as a substitute of solely fixing the recognized vulnerability. As an example, in 2020 when Sophos disclosed a CVE as a result of a legacy element not adequately parameterizing SQL queries, Sophos ran a large-scale initiative to determine and take away all legacy non-parameterized SQL queries throughout all the product.

In SFOS v20, Sophos rewrote the Sophos Firewall VPN provisioning portal, an internet-facing security-critical service, in Go to enhance reminiscence security and guard in opposition to vulnerabilities attributable to buffer overflows. Sophos launched SFOS v20 in November 2023.

Pledge:

In SFOS model v21, we pledge to containerize key companies associated to Central administration so as to add extra belief boundaries and workload isolation. Moreover, SFOS v22 will embrace an intensive structure redesign, which can higher containerize the Sophos Firewall management airplane, additional decreasing the chance and impression of RCE vulnerabilities.

Safety patches

Clients mechanically obtain safety updates for all Sophos SaaS companies, together with Sophos Central, with no handbook intervention required. Sophos Firewall and Sophos Endpoint additionally mechanically obtain and set up safety patches as they’re launched as a part of their default configuration.

Whereas Sophos Firewall clients can manually disable this characteristic if required, 99.26% of our clients maintain this characteristic enabled, demonstrating their confidence in our rigorous launch testing.

Pledge:

Working the most recent firewall firmware model affords extra safety advantages past receiving safety hotfixes by default. With this in thoughts, we pledge to launch a characteristic by September 2025 that allows clients to mechanically schedule Sophos Firewall firmware updates.

Vulnerability disclosure coverage

We consider Sophos runs an industry-leading accountable disclosure program and has been lucky to profit from the help of safety researchers for a few years. Since 2018, we now have issued rewards for greater than 1,200 vulnerabilities and paid out nearly $500,000 to the neighborhood. Our accountable disclosure coverage contains secure harbor provisions to make sure researchers can interact with us with out danger of authorized motion. We pay as much as $50,000 for vulnerabilities recognized in Sophos merchandise and frequently improve payouts to help our researchers.

For extra particulars on our Bug Bounty program see Sophos CISO, Ross McKerchar, and Bugcrowd CEO, Dave Gerry, discuss the Sophos program.

Pledge:

We pledge that inside a 12 months Sophos will:

  1. Improve transparency and add to collective {industry} data by publishing weblog posts that evaluation our findings and classes realized from our vulnerability disclosure program.
  2. Improve the utmost reward out there to safety researchers.

CVEs

Safety-relevant defects are a prime precedence for Sophos and are constantly addressed. Robust processes are in place that allow us to publish CVEs in on-premises merchandise when a vulnerability is recognized by an exterior supply (e.g. safety researchers, crimson staff workout routines, and so forth.). Nonetheless, we now have recognized some historic cases the place inner findings weren’t assigned a CVE.

We don’t presently publish CVEs for our hosted SaaS merchandise. We consider that is customary {industry} apply, however we acknowledge and are taking part within the ongoing {industry} dialogue on this matter.

Pledge:

We pledge to increase our inner processes to constantly publish exterior CVEs for all recognized inner vulnerabilities of a severity of excessive or crucial in our merchandise.

Proof of intrusions

Sophos services and products present logging and auditing capabilities at no additional price, permitting clients to carry out incident response.

Pledge:

We pledge to supply extra integration capabilities in Sophos Central to simplify the ingestion of audit logs into third events, with goal implementation previous to July 2025.

Subsequent steps

As we proceed to progress on our journey, we look ahead to sharing common updates in opposition to our pledges. Please look out for future updates.