This week, Cisco provided comments on the Department of Commerce’s Bureau of Industry and Security (BIS) proposed cybersecurity regulations. These comments reflect the realities of how Cisco looks to protect both our customers and our products. They also emphasize the critical role that security researches, access to tools, and qualified talent have in cybersecurity.
Cisco has hundreds of dedicated security engineers and researchers throughout the company and around the globe, who use the latest and greatest tools and techniques to test our technology. We proactively attempt to break into our own products, our own services, and our own networks, in order to close identified weaknesses and vulnerabilities as soon as possible and to develop better protections against attack. Many of these same people are responsible for investigating reported vulnerabilities or compromises of our products and running these reports to ground with absolute certainty. In doing this, we have resolved countless bugs and vulnerabilities and continue to improve the security of our products with what we learn. Along the way we have discovered many interesting and creative adversaries and certainly learned that there are some very resourceful people out there. Read More »
At Cisco, security runs through everything that we do. It is our commitment to deliver verifiable, trustworthy network architectures built on secure software and secure hardware, backed by prudent supply chain security practices.
That’s why Cisco created the Cisco Secure Development Lifecycle (Cisco SDL) to ensure that security is central through the entire product development process. CSDL is a repeatable and measurable process we’ve designed to fortify the resiliency and trustworthiness of our offerings, allowing our customers to deploy high-quality products that they can trust.
Cisco SDL utilizes many industry standards and best practices, including ISO certification as part of our development processes. ISO certification provides customers validation and confidence that our processes, such as common technology requirements, secure coding procedures, code reviews, testing, and verification are consistently executed within our product development.
In 2013, we made internal compliance with the Cisco SDL process a stop-ship-grade requirement for all new Cisco products and development projects. As we make our way through 2014, we are building on this commitment, holding our teams accountable and training stakeholders to understand the importance of Cisco SDL process, adoption, and compliance.
From our Integrated Service Routers (ISRs) to our Aggregation Services Routers (ASRs), more products are being introduced across the Cisco portfolio that are Cisco SDL compliant. We look forward to keeping you up to date on progress with the CSDL initiative over the coming months.
Check out the video below where I explain Cisco SDL in more detail:
With October designated as Cyber Security Awareness Month, it got me thinking about the connections between awareness and trust. Cisco has made significant investments in what we call “Trustworthy Systems.” These products and services integrate security features, functions, and design practices from the very beginning. We do this because we know that people will be depending on Cisco products for communications critical to their personal and professional missions. Read More »
Are we heading to a day of reckoning, where the forces of cyber crime overwhelm and erase the good things that information technology delivers? If we head down our current path of incremental, individualized approaches to cyber security, the answer is “Yes.” But I’m enough of an optimist to think that if the IT and security geeks and wonks of the world can unite, share information, work hard, and not worry about who gets the credit, we stand a fighting chance. Read More »
We’ve invested considerable time, effort, and money in the effort to make Cisco products robust enough for deployment as Trustworthy Systems, either in their own right or integrated into a complete solution. At its essence, attaining trustworthiness is a matter of discipline—a series of conscious actions to build products in the right way, certify their conformity to prevailing industry and customer-required standards, and keep a careful watch on the integrity of the product supply chain, from initial product concept through their integration and operation over a solution lifecycle. But the most important attribute of a trustworthy system is vendor transparency. I define this as a customer’s ability to ask a vendor any question and to receive a complete, honest answer in return.
I have more to say on this subject in a video blog. I also invite you to view the Trustworthy Systems page on Cisco.com and download the newly published Cisco Trustworthy Systems White Paper.