CISA’s Secure by Design Pledge: Charting BeyondTrust’s Progress One Year Later

At BeyondTrust, security is not an afterthought, it’s our foundation and aligns with CISA’s Secure by Design guidance. We’ve built our culture, our engineering practices, and our platform around the belief that secure software must be intentional, measurable, and continuously improved.

When the Cybersecurity and Infrastructure Security Agency (CISA) introduced the “Secure by Design” pledge one year ago to continue its mission of improving and maintaining best practices and resiliency against attacks on the United States, we were proud to be an early signatory. The pledge calls on technology providers to take ownership of customer safety by embedding security into every stage of product design and development (not bolting them on afterward).

For BeyondTrust, many of these principles were already core to how we operate. Since signing the pledge roughly one year ago, we’ve continued to strengthen our security-first approach across every product, process, and partnership. We’ve focused on deepening those security-first practices, validating our maturity, and expanding the controls that reduce customer burden and risk.

This blog highlights our progress across each pledge area—from eliminating default passwords to improving patch adoption—and demonstrates how we continue to advance secure innovation.

Strengthening authentication is a central CISA priority because compromised credentials remain the leading cause of identity-driven intrusions. MFA continues to be one of the most effective safeguards against unauthorized access, which is why the first of the seven CISA pledge goals is to increase the use of multi-factor authentication (MFA) across software products.

At BeyondTrust, every product in our portfolio supports MFA, either natively or through integration with identity providers that enforce it. That commitment hasn’t changed since we signed the pledge, and it remains a core requirement across our entire portfolio.

Impact for customers:
Organizations can deploy BeyondTrust solutions knowing strong authentication controls are available from Day One, reducing the risk of compromised identities.

The second pledge goal is to reduce the use of default passwords across products. Default passwords are a persistent vulnerability across agencies and enterprises, and one of the most common root causes of compromise in software supply chain attacks. Removing / changing default passwords is a core central secure-by-design objective.

BeyondTrust enforces a strict no-default-password policy across all products. Our product offerings never ship with hardcoded or vendor-provided credentials.

We achieve this through:

• Automated password management

• Secure generation rules

• Hardened configurations

Impact for customers:

Customers can deploy with confidence knowing privileged accounts are protected from the outset of deployment, preventing one of the most widely exploited attack vectors in the wild.

One of CISA’s most important secure by design principles is not just to fix individual bugs, but to eliminate systemic weaknesses before they can cause problems. This aligns closely with BeyondTrust’s engineering philosophy.

We believe the most effective security control is one that requires no action from customers. Instead of fixing individual bugs, BeyondTrust engineers work to pre-emptively eliminate entire classes of vulnerabilities before they appear in code. Our development practices align with frameworks such as OWASP Top 10, SANS Top 25, and the OWASP Application Security Verification Standard (ASVS). Security is integrated throughout the software lifecycle through:

• Shift Left Security: Security considerations begin with design and continue through every sprint and review cycle.

• Secure Defaults: Guardrails such as centralized input validation and secrets detection in continuous integration pipelines make the secure choice the natural one.

• Automation at Scale: Continuous scanning and automated validation identify issues, such as credential exposure or outdated libraries, before release.

The Results:

• Secrets Management: Hardcoded secrets have been fully eliminated and replaced with dynamic managed credentials.

• Memory Safety and Input Validation: Consistent frameworks and tools have greatly reduced exposure to injection and cross-site scripting (XSS) vulnerabilities.

Impact for customers:
Secure-by-default software with fewer patches required and a reduced attack surface.

Hardcoded credentials, tokens, and API keys are a major attack vector leading to supply chain compromise.. Stolen or exposed credentials were used in 31% of all breaches, according to Verizon’s 2025 Data Breach Investigations Report.

BeyondTrust takes a structured approach to eliminating hardcoded secrets in our source code, ensuring both legacy cleanup and ongoing prevention. Our methodology involves multiple phases, combining automated detection, preventive controls, and continuous monitoring.

1. Baseline Cleanup

   1. We enabled GitHub Advanced Security across our entire codebase to scan for hardcoded secrets, API keys, and credentials.

   2. Identified instances were removed or rotated immediately, with all valid secrets securely migrated to an appropriate secret management solution, our own Password Safe® (e.g., cloud-native key vaults and enterprise-grade secret stores).

   3. This initial cleanup established a clean foundation across active repositories.

2. Preventive Controls at Commit Stage

   1. We implemented a pre-commit hook in GitHub that prevents developers from introducing secrets into source code during pull requests.

   2. This control ensures that no sensitive data is merged into production branches, while also preventing residual traces in commit history.

3. Alerting and Triage Process

   1. An alerting mechanism was added to flag potential secret-related findings.

   2. Alerts are auto-routed to the security team for review, allowing false positives to be triaged quickly without slowing developer workflows.

4. Enhanced Pattern Coverage with AI Scanning

   1. We enabled AI-driven scanning and configured all available detection patterns in GitHub to identify even non-standard or obfuscated secrets.

   2. This provides broader coverage across multiple programming languages and frameworks, ensuring edge cases are caught before they become security liabilities.

Impact for customers:

Through this multi-layered approach, BeyondTrust has not only eliminated legacy risks like hardcoded secrets, but has also embedded preventive controls that scale with our development velocity. This significantly reduces the risk of credential exposure, helping to strengthen the security of the software supply chain and reduce the likelihood of unintentional insider-created vulnerabilities.

Unpatched systems are one of the fastest paths to compromise. Attackers routinely exploit known vulnerabilities within days or even hours of disclosure.
CISA emphasizes reducing time-to-remediate as a critical Secure by Design principle because rapid patch adoption significantly lowers the window of exposure and prevents opportunistic attacks.

BeyondTrust simplifies the installation of security patches across its products through its BT Updater Desktop Client, BeyondTrust’s dedicated tool for managing updates across its product suite using a combination of automation, centralized management, and flexible deployment options.

Key capabilities include:

• Automatic Update Checks: Runs as a Windows service and checks for updates every 12 hours by default.

• Subscription-Based Updates: Admins can subscribe to specific product versions and lock them to prevent untested updates from being deployed.

• Sequential or Latest Downloads: Choose to download all intermediate versions or just the latest one.

• Resilient Downloads: If interrupted, downloads resume automatically. Files are verified via SHA256 hash and certificate checks.\

• Manual or Scheduled Installs: Updates can be installed immediately or scheduled for later.

Impact for customers:
Organizations reduce time-to-remediate, maintain healthier patch hygiene, and strengthen their defensive posture, all with minimal operational overhead.

As a CVE Numbering Authority (CNA), BeyondTrust is responsible for identifying, documenting, and publishing CVEs for vulnerabilities in our products.

Our CVE process includes:

1. Identification & Assessment: Vulnerabilities are discovered via internal testing, external reports, bug bounty submissions, or customer disclosures. Each issue is validated and severity assessed using CVSS.

2. Advisory Preparation: For high or critical vulnerabilities, a Security Advisory is developed alongside a CVE entry, a Knowledge Base (KB) article, and supporting customer communication.

3. CVE Creation: CVEs are authored using the Vulnogram editor and published to CVE.org with full details (summary, CWE, references, researcher credit if applicable).

4. Public Disclosure: On release day, BeyondTrust publishes the CVE, Security Advisory, and KB article simultaneously, ensuring customers, partners, and the broader community receive coordinated, transparent communication. Advisories are published on the BeyondTrust Security Advisories page.

Impact for customers:

Transparency, faster notification cycles, and clear remediation guidance.

The Pledge commits signers to help customers gather evidence of cybersecurity intrusions quickly and reliably.

BeyondTrust meets this in two key ways:

Agentless Vulnerability Management & Logging

BeyondTrust applies an agentless vulnerability management solution for full visibility across the company's cloud accounts and resources. Key capabilities include:

• Side-scanning in the snapshot process assess snapshots for security threats and gain contextual data and alerting based on criticality.

• Alerts flow into both the native console and SIEM platform for easy review and action.

Azure Security center logging feeds key insights into the BeyondTrust SIEM. For instance, ingress authentication logging to track user access and activity, threat analytics to detect any suspicious software installations, and third-party access detection to alert BeyondTrust personnel to any potential malicious activities. All such incidents are automatically reported to the BeyondTrust InfoSec team for analysis, with appropriate action taken based on the severity and relevance of the alert.

Identity Security Insights®

BeyondTrust’s own Identity Security Insights product also plays a critical role in helping BeyondTrust and customer organizations detect and respond to evidence of intrusion, especially those involving identity-based threats. Here's how it works:

1. AI/ML-Powered Anomaly Detection

Uses machine learning to detect unusual behaviors that deviate from normal patterns, even if they don’t match known attack signatures.

Examples of anomalies include:

• Suspicious MFA events followed by infrastructure changes

• Unusual Azure service principal modifications

Excessive reads from Secret Safe (potential credential harvesting).

2. TTP, IOC, and IOA-Based Detections

Leverages known Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), and Indicators of Attack (IOAs) to flag:

• Logins from anonymized or risky IPs

• Password spray attacks

• Dormant accounts suddenly accessing privileged resources

3. Real-Time Alerts & Contextual Guidance

Alerts are enriched with contextual information to help analysts understand:

• Why the activity is suspicious

• What systems or identities are affected

• How to respond (e.g., rotate credentials, terminate sessions)

4. True Privilege™ Graph

Visualizes escalation paths and privilege interconnections across identities.

Helps identify how an attacker might move laterally or escalate privileges post-compromise.

5. Integrated Response Capabilities

Works with BeyondTrust PAM tools (like Password Safe and Privileged Remote Access) to:

• Automatically rotate credentials.

• Terminate suspicious sessions.

• Enforce least privilege and/or JIT access.

6. Cross-Domain Visibility

Correlates identity activity across:

• On-prem AD, Azure AD (Entra ID), Okta, Ping, AWS, GCP, GitHub, and more.

• Consolidates logs and alerts into a single dashboard for faster triage.

Impact for customers:
Actionable intelligence that accelerates detection, investigation, and response — especially for identity-centric incidents.

The Secure by Design pledge is not a one-time effort but an ongoing responsibility—one that reflects the way BeyondTrust has always approached security.

Over the past year, our teams have strengthened secure-by-default engineering, expanded automated protections, and deepened transparency across our vulnerability and disclosure processes. This work reinforces the core purpose of the BeyondTrust platform: protecting identities, access, and endpoints by reducing complexity and removing avoidable risk.

As we look ahead, we remain committed to advancing software security, fostering collaboration across the cybersecurity community, and continuously earning customer trust through transparency and innovation. These capabilities empower customers to detect, investigate, and respond to identity-based threats with speed and precision.