Snyk Joins CISA's Secure by Design Pledge

As the Chief Information Security Officer at Snyk, my primary role is to ensure the security and integrity of our products, our systems, and our customers' data. But my responsibility extends beyond our walls. It involves championing a vision for a more secure digital world—a vision I am proud to say we share with the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

That is why Snyk has enthusiastically joined CISA’s Secure by Design pledge – a set of concrete security goals, aimed at measurably improving product security within one year. This pledge aligns with the principles that have guided Snyk from its inception.

What is CISA’s Secure by Design?

Historically, the burden of application security has fallen on the shoulders of development teams, who have been expected to patch, configure, and defend software products that were, frankly, not built with security as a primary consideration. CISA’s Secure by Design initiative, developed in partnership with international cybersecurity agencies, seeks to fundamentally reverse this dynamic.

The program acts as a call to action for all software manufacturers to take ownership of their customers' security outcomes. It urges us to build products that are secure from the ground up—secure “by design” and secure “by default.” This means shipping products that do not have default passwords, that have multi-factor authentication (MFA) enabled, and that are designed to eliminate entire classes of vulnerabilities before they ever reach the user. The goal is to make security a standard feature, not a premium add-on.

The pledge goals: A blueprint for a safer future

The pledge outlines seven core goals, each addressing a common failure point in software security to make immediate and impactful improvements. These goals represent a foundational shift toward proactive security and greater transparency.

1. Embracing multi-factor authentication (MFA)

Passwords alone are no longer a sufficient defense. They are the primary target of cyberattacks and can be compromised through phishing, credential stuffing (where attackers use lists of stolen passwords from other breaches), or simple guessing. Relying on a single factor of authentication is like leaving your front door locked but with the key easily available under the mat.

MFA provides a critical second layer of defense. Even if an attacker steals a user's password, they cannot gain access without the second factor (e.g., a code from a mobile app, a physical security key). 

This single change drastically reduces the risk of unauthorized access, protects sensitive user data, and significantly strengthens the security posture of the application against the most common types of attacks.

2. Eliminating default passwords

Using hardcoded or easily guessable default credentials (like admin/password) is a massive, unforced error. These passwords are often publicly documented or easily discovered, making any device or software that uses them an easy target for automated attacks that scan the internet for vulnerable systems. It leaves the "front door" wide open.

Forcing a unique, strong password to be set upon installation or first use immediately closes this gaping security hole and ensures a baseline level of security for all users, regardless of their technical expertise. 

3. Publishing a vulnerability disclosure policy (VDP)

Security researchers and ethical hackers are constantly probing for weaknesses in software. Without a clear, official, and safe way for them to report their findings, they may not report them at all, or worse, they might disclose them publicly. 

This creates a "zero-day" situation where attackers learn of the flaw at the same time as the vendor, leading to a frantic race to patch before widespread exploitation occurs.

A VDP creates a structured and safe "see something, say something" channel and fosters a positive relationship with the security community, turning potential adversaries into allies. It allows the organization to learn about and fix vulnerabilities privately and proactively, before they can be used against customers. 

4. Reducing entire vulnerability classes

Playing "whack-a-mole" by fixing individual security bugs one at a time is an inefficient, endless, and losing battle. Many of the most damaging vulnerabilities, such as SQL injection or memory safety errors (like buffer overflows), stem from recurring, systemic weaknesses in how software is designed and written.

By making strategic architectural decisions—such as using memory-safe programming languages (e.g., Rust, Go, C#), adopting secure-by-default frameworks, and using parameterized queries for database access—organizations can eliminate the root cause of these problems. 

This approach is far more effective and scalable, preventing entire categories of future bugs from ever being written in the first place.

5. Increasing transparency in vulnerability reporting

Customers are often "flying blind." They have no visibility into the third-party and open source components that make up the software they use (a problem solved by a Software Bill of Materials, or SBOM). Additionally, without clear notification of known vulnerabilities using industry standard programs such as Common Vulnerabilities and Exposures (CVEs) that affect a product, they cannot accurately assess their risk or know when to apply critical patches.

Providing an SBOM allows customers to manage their own software supply chain risk. Publicly acknowledging and tracking CVEs enables them to make informed decisions about security updates and risk management. 

This openness builds a partnership based on trust and shared responsibility, leading to a more resilient and secure ecosystem for everyone.

6. Increasing timely patching

A security patch is worthless if it's never applied. When the patching process is manual, complex, or disruptive, customers delay or ignore updates, leaving systems vulnerable for extended periods long after a fix is available. Attackers specifically target these known-but-unpatched vulnerabilities.

Streamlining the update process through mechanisms like automatic security updates or simplified "one-click" patching dramatically shortens the time a system remains vulnerable. It reduces the window of opportunity for attackers and ensures that the protections developed by the manufacturer are deployed in the real world.

7. Providing evidence of intrusion

When a security breach occurs, defenders are often left in the dark. Without robust, high-quality security logs provided by default, it is nearly impossible for a customer to determine the scope of an attack: how an adversary got in, what they accessed, and whether they are still present. This lack of visibility cripples incident response and recovery efforts.

Offering security logs enables effective forensic analysis, rapid incident response, and accurate damage assessment. This transparency helps customers meet compliance requirements and allows them to quickly identify and contain threats. 

How Snyk’s pledge benefits our customers

Snyk’s participation in the Secure by Design pledge is a natural extension of our developer-first security mission. While we are proud to work toward these goals and have implemented practices aligned with the CISA pledge requirements, the true benefit for our customers lies in how the Snyk platform empowers you to build your own Secure by Design products.

Enabling proactive security

The pledge’s call to eliminate entire classes of vulnerabilities is the very essence of Snyk's purpose. Tools like Snyk Code (SAST) and Snyk Open Source (SCA) are designed to help find and fix security flaws—from injection vulnerabilities to insecure dependencies—directly within the developer’s workflow. 

By integrating security into the development process, we help you build products that are secure from the first line of code.

Driving transparency with SBOMs

CISA’s emphasis on transparency through Software Bills of Materials (SBOMs) is a critical step forward for the industry. Snyk has long been a leader in this space, providing tools that allow you to easily generate and monitor the components in your software.

This not only helps Snyk users meet compliance requirements but also provides a clear view of your application’s security posture.

Accelerating vulnerability management

The pledge goals of timely patching and robust vulnerability disclosure are central to the Snyk Platform. Snyk’s robust security intelligence provides you with timely, accurate information on new vulnerabilities. 

We go beyond mere detection, offering context and automated fix suggestions that can help reduce the time it takes to patch critical flaws, helping you protect your users faster.

A shared mission

The Secure by Design initiative marks a pivotal moment for our industry. It’s an acknowledgment that we can and must do better. At Snyk, we are honored to stand with CISA and other industry leaders in this pledge. We believe that security is a shared responsibility, and we are committed to providing the tools and intelligence that empower developers and organizations to build a more secure future for everyone.

To learn more about our own security and trust commitments, please visit the Snyk Trust Portal

To read more about this crucial initiative, we encourage you to visit CISA’s Secure by Design webpage.

Disclaimers:

• Snyk's products are designed to help identify and remediate security vulnerabilities, but cannot guarantee the detection of all security issues. Effective security requires a comprehensive approach beyond any single tool or platform.

• This blog post contains forward-looking statements about Snyk's products and capabilities. Actual results may vary, and Snyk makes no guarantee regarding future functionality or performance.

• While Snyk has joined CISA's Secure by Design pledge, Snyk is not affiliated with or endorsed by CISA or any government agency.