Trend Micro’s backing of the Secure by Design pledge in early 2024 underscores its longstanding focus on cybersecurity. The company prioritizes the security of its products as much as protecting its customers from cyber adversaries. The letter introduces Trend Micro’s extensive experience in innovating and developing cybersecurity solutions, which mandates that their research and development teams consistently address threats targeting their products. Consequently, the company has built significant expertise in embedding safeguards and security features into its offerings.
Goals and Progress
Drive Adoption of Multi-Factor Authentication (MFA)
Tackling the widespread issue of credential theft, MFA is an effective security measure for combating this threat. Trend Micro has made significant progress on this front by incorporating an MFA login option into their Trend Vision One™ platform, currently available on an opt-in basis. The company aims to make MFA a default feature by 2025, marking considerable advancement in increasing the use of MFA across its products.
MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an application or online account. This approach significantly reduces the risk of unauthorized access, even if a user’s password is compromised. Trend Micro’s commitment to making MFA a default feature demonstrates their proactive stance in enhancing user security.
By integrating MFA into their products, Trend Micro not only protects their customers but also sets a standard for the industry. The company’s efforts in promoting MFA adoption reflect their dedication to mitigating credential theft and improving overall cybersecurity resilience. Their strategic direction ensures that users’ credentials are safeguarded through sophisticated verification steps, making it substantially more challenging for cybercriminals to penetrate security defenses.
Reduce the Use of Default Passwords
Ensuring that users do not rely on default passwords is critical for security. Trend Micro has already achieved this objective by requiring strong, unique passwords to be created during the initial installation of all its products. This measure eliminates the security risks associated with default passwords.
Default passwords are often easy targets for cyber adversaries, as they are commonly known and can be easily exploited. By mandating the creation of strong, unique passwords, Trend Micro significantly reduces the likelihood of unauthorized access to their products. This initiative not only enhances the security of Trend Micro’s offerings but also encourages users to adopt better password practices.
The company’s proactive approach in eliminating default passwords underscores their commitment to protecting their customers from potential security breaches. This move is pivotal in reinforcing the foundational security of their products and serves as a strong preventative measure against common cyber threats. By leading this initiative, Trend Micro sets a precedent in password security that other firms in the industry might follow.
Reduce Common Classes of Vulnerabilities
Reducing vulnerabilities that adversaries can exploit is a significant focus. The company is actively decreasing the prevalence of specific vulnerability classes through various efforts. The Zero Day Initiative (ZDI), recognized as the leading vendor-independent bug bounty program, has played a pivotal role in this endeavor. By disclosing bugs and providing bounties for Trend’s and other vendors’ products, ZDI has helped mitigate numerous vulnerabilities.
Trend Micro’s goal is to cut down specific classes of vulnerabilities by 50% in 2025, with notable focus areas including Cross-site Scripting (CWE-79), Link Following (CWE-59), and SQL Injection (CWE-89). These vulnerabilities are commonly exploited by cyber adversaries, making their reduction a critical aspect of enhancing product security. These specific classes have been chosen due to their high risk and frequency in the cyber threat landscape.
The company’s efforts in reducing these vulnerabilities demonstrate their commitment to proactive vulnerability management. By addressing these common classes of vulnerabilities, Trend Micro aims to minimize the attack surface and improve the overall security of their products. Their strategic focus on reducing these vulnerabilities is indicative of a comprehensive approach to cyber defense, ensuring that their products remain resilient against potential exploits.
Drive Improved Customer Patching Hygiene
Efficient patch management is critical for maintaining security. Recognizing the shift towards Software as a Service (SaaS), Trend Micro has adapted many of its products to this model, which allows for more efficient patching in the cloud. However, aware of the regulatory and privacy-driven need for on-premise solutions, the company continues to enhance the patching experience for these customers.
Trend Micro offers features such as auto-notice and auto-download of patches, staggered patch deployment options, and detailed vulnerability reporting through their Vision One platform. These measures collectively enhance patch management programs, enabling customers to prioritize high-risk vulnerabilities effectively.
By improving customer patching hygiene, Trend Micro ensures that their products remain secure against known threats. The company’s focus on efficient patch management highlights their dedication to maintaining the security and integrity of their offerings. These improvements not only fortify their customers’ defenses but also streamline the process of applying necessary updates and patches.
Publish a Vulnerability Disclosure Policy
Transparency and cooperation with the cybersecurity community are cornerstone principles for Trend Micro. The company has had a public vulnerability disclosure policy since 2017 and updates it as needed. Trend Micro’s policy includes language that ensures good-faith researchers are not pursued legally and highlights their commitment to coordinated vulnerability disclosure practices.
Being an official CVE Numbering Authority (CNA), both Trend Micro and ZDI adhere to established international standards in their disclosure processes. This commitment to transparency and collaboration fosters a safer digital ecosystem and encourages responsible vulnerability reporting. Their approach helps build trust within the cybersecurity community and promotes an open exchange of critical information.
Trend Micro’s public vulnerability disclosure policy demonstrates their dedication to working with the cybersecurity community to identify and address potential security issues. By maintaining an open and cooperative approach, the company contributes to the overall improvement of cybersecurity practices. This level of transparency is integral to cultivating a collaborative environment where security researchers and companies can work together to strengthen defenses against emerging threats.
Summary of Overarching Themes and Trends
The recurring themes across Trend Micro’s actions under the Secure by Design pledge center on enhancing security through improved practices, proactive vulnerability management, and fostering community collaboration. There is a strong consensus on the importance of multi-factor authentication to mitigate credential theft, elimination of default passwords to prevent easy exploitation, reducing common vulnerabilities to minimize the attack surface, ensuring prompt and effective patching to protect against known threats, and maintaining transparency and collaboration through comprehensive vulnerability disclosure policies.
Conclusion
Trend Micro’s endorsement of the Secure by Design pledge, set for early 2024, highlights its enduring commitment to cybersecurity. This move illustrates the company’s dedication to ensuring the security of its products and protecting its customers from cyber threats. Trend Micro’s extensive experience in the field of cybersecurity innovation is key to its operations. Their research and development teams are constantly focused on addressing and mitigating threats that target their products. This proactive approach has enabled Trend Micro to gain significant expertise in embedding advanced security features directly into their offerings. This ensures that their solutions are resilient against evolving cyber adversaries, maintaining a high standard of protection for users. By prioritizing both product security and customer protection, Trend Micro continues to play a pivotal role in the cybersecurity landscape, leveraging its knowledge and technological advancements to create safer digital environments. This dedication not only reinforces the company’s leadership in the field but also builds trust and reliability among its customer base.
