Signing the CISA Secure by Design Pledge

Written by Matt MullerField CISO, Tines

Published on January 9, 2025

Today, I’m thrilled to announce that Tines has formally signed CISA’s Secure by Design pledge. Since our founding, we have been guided by the fundamental belief that secure software is security software, and that our customers shouldn’t need to make a tradeoff between adding valuable automation capabilities or reducing their attack surface.

Because secure software design is in our DNA, we believe that we already meet or exceed many of the goals outlined in the pledge. That said, we know security is a journey, not a destination. The pledge includes a set of seven principles aimed at ensuring software design is secure at a foundational level. This blog post outlines both our existing investments in those Secure by Design principles, as well as where we plan to make additional investments over the upcoming year.

1. Multi-factor authentication (MFA) 

Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.

At Tines, we don’t believe in the “SSO tax” - that is, the idea that Single Sign-On authentication should only be made available at higher paid subscription tiers. All paid Tines plans include SSO, allowing our customers to configure their own preferred MFA mechanisms and step-up authentication logic. 

In addition, free Community Edition Tines users authenticate via passwordless magic links or their Google or Microsoft account, ensuring that no passwords are ever stored in the Tines platform.

While these mechanisms allow customers to set and use strong MFA across all Tines products, it is challenging to enforce the use of strong MFA due to limitations in how (and whether) SSO providers expose this information to client applications such as Tines. We encourage these identity providers to take advantage of standardized SAML assertions and OIDC claims in this regard.

2. Default passwords 

Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.

Thanks to our use of universal SSO and passwordless magic links, no Tines cloud customer will ever set a password within the Tines platform, much less a default one. For self-hosted Tines customers, the initial platform deployment flow requires the tenant admin to authenticate either via passwordless magic link or via setting their own strong password - no default passwords involved.

3. Reducing entire classes of vulnerability