Sophos Provides Progress on its Pledge to CISA’s Secure by Design Initiative

With technology solutions embedded across almost every element of our personal and business activities, it’s essential that all software – whatever its function – is designed with cybersecurity as a core requirement. Without embedding security as a first principle, we cannot achieve the goal of a trustworthy digital ecosystem.

To accelerate the adoption of a security-led approach, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a Secure by Design pledge on May 8, 2024. Sophos is proud to stand among the very first organizations to commit to the pledge, which focuses on seven core pillars of technology and product security:

1. Multi-factor authentication
2. Default passwords
3. Reducing entire classes of vulnerability
4. Security patches
5. Vulnerability disclosure policy
6. CVEs
7. Evidence of intrusions

Signing this pledge is:

1. A commitment to the principles of secure design;
2. A commitment to cybersecurity transparency and continual improvement;
3. A recognition that all vendors must take full responsibility for ensuring the security and integrity of the technologies they design, build, and sell.

We are pleased to publicly share our current state and pledges against each of the seven pillars of the Secure by Design framework and commit to providing regular updates on our progress towards them.

Aligned to the Sophos philosophy

As CISO, I lead a cross-functional team that includes specialists in security architecture and application security who work closely with our engineering teams to design and build our solutions.

We work together to ensure the ongoing, constantly evolving integrity of our solutions for future customers and the 600,000 organizations that already rely on them.

We understand that trust must be earned and verified, which is why transparency is a longstanding cornerstone of Sophos’s philosophy.

Cybersecurity is challenging due to the inherent nature of what it takes to defend against active attackers, and we recognize that true transparency means sharing both areas for development as well as successes. In this article, and in others to come, we acknowledge that across the industry and within our own organization there is work to do. This is not a one and done initiative that CISA has created – it’s a much-needed way of thinking and framework that should be built into the design and architecture of security solutions. We welcome constructive feedback on how we are addressing the seven pillars.

Our Secure by Design pledges

Multi-factor authentication (MFA)

Sophos Central, our unified security console, enforces MFA by default. Customers can also utilize their own MFA via federated authentication. Both options are available at no additional cost.

The majority of our products are managed solely by Sophos Central. Where our network products allow direct management, administrative interfaces also support MFA, but we strongly encourage customers to manage devices via Sophos Central to avoid unnecessary exposure of management interfaces.

Additionally, our data identifies that customers are most at risk when they expose management interfaces to the internet. On behalf of our customers, we have undertaken a sustained effort to reduce this exposure. For example, we actively time out unused internet-facing administration portals on our Sophos Firewall platform. Over the past 18 months, this has reduced internet-exposed administrative interfaces across our customer base by 21.5%, and we aim to improve on this further.

Pledge:

Over the next 12 months, we pledge to release passkey support in Sophos Central and publish adoption statistics of this stronger MFA mechanism

Default passwords

Sophos Firewall ensures safe deployments from the first boot, requiring users to create strong passwords on device setup. Without completing this step, configuring and using the network devices for their intended purpose is impossible. To further protect the secrets and keys stored on the device, administrators must provide a secondary credential which is used to encrypt sensitive data on Sophos Firewall.

Leveraging the management capabilities in Sophos Central, full deployments of Sophos Firewall are now possible using the TPM-backed Zero Touch functionality.

Pledge:

We pledge to continue to disallow default credentials in all current and future products and services.

Reducing entire classes of vulnerability

Sophos makes extensive use of modern memory-safe languages and frameworks designed to systematically prevent common OWASP Top 10 bugs such as XSS and SQLi. Sophos Central is written solely in memory safe languages.

For all critical CVEs identified in Sophos products, we aim to systematically eliminate the underlying issue instead of solely fixing the identified vulnerability. For instance, in 2020 when Sophos disclosed a CVE due to a legacy component not adequately parameterizing SQL queries, Sophos ran a large-scale initiative to identify and remove all legacy non-parameterized SQL queries across the entire product.

In SFOS v20, Sophos rewrote the Sophos Firewall VPN provisioning portal, an internet-facing security-critical service, in Go to improve memory safety and guard against vulnerabilities caused by buffer overflows. Sophos released SFOS v20 in November 2023.

Pledge:

In SFOS version v21, we pledge to containerize key services related to Central management to add additional trust boundaries and workload isolation. Additionally, SFOS v22 will include an extensive architecture redesign, which will better containerize the Sophos Firewall control plane, further reducing the likelihood and impact of RCE vulnerabilities.

Security patches

Customers automatically receive security updates for all Sophos SaaS services, including Sophos Central, with no manual intervention required. Sophos Firewall and Sophos Endpoint also automatically receive and install security patches as they are released as part of their default configuration.

While Sophos Firewall customers can manually disable this feature if required, 99.26% of our customers keep this feature enabled, demonstrating their confidence in our rigorous release testing.

Pledge:

Running the latest firewall firmware version offers additional security benefits beyond receiving security hotfixes by default. With this in mind, we pledge to release a feature by September 2025 that enables customers to automatically schedule Sophos Firewall firmware updates.

Vulnerability disclosure policy

We believe Sophos runs an industry-leading responsible disclosure program and has been fortunate to benefit from the support of security researchers for many years. Since 2018, we have issued rewards for more than 1,200 vulnerabilities and paid out almost $500,000 to the community. Our responsible disclosure policy includes safe harbor provisions to ensure researchers can engage with us without risk of legal action. We pay up to $50,000 for vulnerabilities identified in Sophos products and regularly increase payouts to support our researchers.

For more details on our Bug Bounty program see Sophos CISO, Ross McKerchar, and Bugcrowd CEO, Dave Gerry, discuss the Sophos program.

Pledge:

We pledge that within a year Sophos will:

1. Increase transparency and add to collective industry knowledge by publishing blog posts that review our findings and lessons learned from our vulnerability disclosure program.
2. Increase the maximum reward available to security researchers.

CVEs

Security-relevant defects are a top priority for Sophos and are consistently addressed. Strong processes are in place that enable us to publish CVEs in on-premises products when a vulnerability is identified by an external source (e.g. security researchers, red team exercises, etc.). However, we have identified some historic instances where internal findings were not assigned a CVE.

We do not currently publish CVEs for our hosted SaaS products. We believe this is standard industry practice, but we recognize and are participating in the ongoing industry discussion on this topic.

Pledge:

We pledge to extend our internal processes to consistently publish external CVEs for all identified internal vulnerabilities of a severity of high or critical in our products.

Evidence of intrusions

Sophos products and services provide logging and auditing capabilities at no extra cost, allowing customers to perform incident response.

Pledge:

We pledge to provide additional integration capabilities in Sophos Central to simplify the ingestion of audit logs into third parties, with target implementation prior to July 2025.

Next steps

As we continue to progress on our journey, we look forward to sharing regular updates against our pledges. Please look out for future updates.