To commemorate the second anniversary of the CISA Secure by Design Pledge, Senior Security Engineer Mat Sylvia unpacks Mark43’s commitment to safeguarding public safety customers worldwide.
Security is at the core of Mark43’s mission, driving our commitment to delivering the most secure and resilient solutions for public safety agencies. That’s why we signed CISA’s Secure by Design Pledge—because its principles have aligned with our approach from the start.
From the outset, we recognized that many of the pledge’s goals were already embedded in our practices. But true security demands continuous improvement, so we used this opportunity to evaluate where can bolster our achievements. Here are some of our findings:
Pledge Goals
- Multi-factor authentication (MFA): Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
- Mark43 puts security first: Since Mark43 currently supports multiple SSO and MFA technologies across our entire SaaS platform, in addition to recently released support for user provisioning via SCIM. We are committed now more than ever to equipping our customers with advanced, open standards for authentication and developing our capabilities year over year.
- Default passwords: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
- Mark43 puts security first: Since Mark43’s SaaS platform architecture is cloud-native, we do not rely on the usage of default passwords. Identities within our platform are associated directly to user identity providers, or Mark43’s internal identity systems. Similar to our MFA capabilities and offerings, Mark43 is guiding customers away from outdated technology and processes, including default passwords, to more secure, scalable and user-friendly solutions.
- Reducing entire classes of vulnerability: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
- Mark43 puts security first: Since memory safety is the main cause of many vulnerabilities, Mark43 recently re-architected several of our client-side applications, using the latest security features and capabilities from leading industry software providers. The languages utilized in these applications are considered memory-safe languages, making our products resilient to buffer overflows, and other memory safety related attacks. We intend to focus on this vulnerability class during the upcoming year, targeting vulnerabilities at their core.
- Security patches: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Mark43 puts security first: To facilitate deployment of application updates, Mark43 provides an auto updater that allows customers to automatically leverage the latest application versions. Mark43’s cloud native architecture enables the inclusion of security-focused information within release documentation, providing further context and transparency to our customers.
- Vulnerability disclosure policy: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
- Mark43 puts security first: Mark43’s vulnerability disclosure policy (VDP) is publicly available here and outlines how to disclose a vulnerability in the Mark43 ecosystem responsibly, along with our processes and procedures to validating and remediating said finding.
- CVEs: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
- Mark43 puts security first: In addition to our planned efforts to incorporate applicable security details within product release notes, Mark43 is actively exploring the infusion of CWE and CPE data into release notes, where applicable. Doing so provides our customers with additional levels of security transparency, a pivotal theme of CISA’s Secure by Design Pledge.
- Evidence of intrusions: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
- Mark43 puts security first: The Mark43 platform has comprehensive event audit logging, and we are prioritizing efforts over the next year and beyond to streamline and improve even further to:
- Provide users with an easy-to-use interface to review logging events specific to their department or agency in a sortable format, with export capabilities to provide our customers with valuable raw data.
- Improved security situational awareness for our customers across our entire platform by inserting subtle mentions of user events such as: user last login time, and login location within the user session.
The CISA Secure by Design Pledge goals are not one size fits all, nor are they all-encompassing of every possible security best practice, however they form fundamental security essentials that are beneficial for every enterprise software solution.
Mark43 is committed to leveraging the Secure by Design goals as part of our unwavering commitment to critical security hygiene practices. Our customers are on the front lines and deserve a partner who consistently raises the bar. At Mark43, we will always put security first, every step of the way.
To learn more about Mark43’s security offerings and solutions, visit www.mark43.com/platform/security-compliance/.
