In the past few years, the security industry has invested heavily in the detection and containment of attacks and breaches as a primary focus of innovation. To help protect Cisco, its customers, products, services and partners, we have embarked on a journey to build security and trust into every aspect of our business, including the culture of our workplace itself. The rapid evolution of the threat landscape has made this trust journey a necessity. Exploits are more frequent, better financed, more sophisticated and are causing more damage. Technology shifts like mobility and BYOD are the new normal and have resulted in more points of access for malware, resulting in a larger attack surface. In order to be more effective against the broad range of security threats, the industry must focus on foundational security being present in critical systems. By ensuring that trustworthiness is built into the technology, processes and policies involved in your IT systems, you can reduce risk and the attack surface while enabling more effective overall security.
This week, Cisco provided comments on the Department of Commerce’s Bureau of Industry and Security (BIS) proposed cybersecurity regulations. These comments reflect the realities of how Cisco looks to protect both our customers and our products. They also emphasize the critical role that security researches, access to tools, and qualified talent have in cybersecurity.
Cisco has hundreds of dedicated security engineers and researchers throughout the company and around the globe, who use the latest and greatest tools and techniques to test our technology. We proactively attempt to break into our own products, our own services, and our own networks, in order to close identified weaknesses and vulnerabilities as soon as possible and to develop better protections against attack. Many of these same people are responsible for investigating reported vulnerabilities or compromises of our products and running these reports to ground with absolute certainty. In doing this, we have resolved countless bugs and vulnerabilities and continue to improve the security of our products with what we learn. Along the way we have discovered many interesting and creative adversaries and certainly learned that there are some very resourceful people out there. Read More »
At Cisco, security runs through everything that we do. It is our commitment to deliver verifiable, trustworthy network architectures built on secure software and secure hardware, backed by prudent supply chain security practices.
That’s why Cisco created the Cisco Secure Development Lifecycle (Cisco SDL) to ensure that security is central through the entire product development process. CSDL is a repeatable and measurable process we’ve designed to fortify the resiliency and trustworthiness of our offerings, allowing our customers to deploy high-quality products that they can trust.
Cisco SDL utilizes many industry standards and best practices, including ISO certification as part of our development processes. ISO certification provides customers validation and confidence that our processes, such as common technology requirements, secure coding procedures, code reviews, testing, and verification are consistently executed within our product development.
In 2013, we made internal compliance with the Cisco SDL process a stop-ship-grade requirement for all new Cisco products and development projects. As we make our way through 2014, we are building on this commitment, holding our teams accountable and training stakeholders to understand the importance of Cisco SDL process, adoption, and compliance.
From our Integrated Service Routers (ISRs) to our Aggregation Services Routers (ASRs), more products are being introduced across the Cisco portfolio that are Cisco SDL compliant. We look forward to keeping you up to date on progress with the CSDL initiative over the coming months.
Check out the video below where I explain Cisco SDL in more detail:
Learn more about Cisco SDL here: http://www.cisco.com/web/about/security/cspo/csdl/index.html
With October designated as Cyber Security Awareness Month, it got me thinking about the connections between awareness and trust. Cisco has made significant investments in what we call “Trustworthy Systems.” These products and services integrate security features, functions, and design practices from the very beginning. We do this because we know that people will be depending on Cisco products for communications critical to their personal and professional missions. Read More »
Are we heading to a day of reckoning, where the forces of cyber crime overwhelm and erase the good things that information technology delivers? If we head down our current path of incremental, individualized approaches to cyber security, the answer is “Yes.” But I’m enough of an optimist to think that if the IT and security geeks and wonks of the world can unite, share information, work hard, and not worry about who gets the credit, we stand a fighting chance. Read More »