Built to Protect: The Importance of Security by Design in TPRM

Written by: Bob Maley, Chief Security Officer

Contributor: Candan Bolukbas, CTO and Founder

In today’s fast-moving tech landscape, companies often face the temptation to prioritize speed over security when developing software. While getting to market quickly might offer a competitive edge for a software company, the long-term risks can be catastrophic—especially when that company becomes a third-party vendor whose products are embedded in other cyber ecosystems. When security is treated as an afterthought, the consequences can ripple across entire supply chains, leaving businesses vulnerable to breaches, ransomware attacks, and data loss. 

For companies relying on third-party vendors, a single security oversight can expose them to significant financial loss, reputational damage, and regulatory penalties. As cyber threats become more sophisticated, the price of neglecting security during product development is far too high for both vendors and their customers.

That’s why, in 2016, when we first built Black Kite as a third-party risk management (TPRM) solution, security was at the very top of our list. As a vendor ourselves, we understood the responsibility that comes with being part of our customers’ cyber ecosystems. We knew that any vulnerability in our own product could become a vulnerability for the companies relying on us to secure their third-party relationships. Our goal wasn’t just to help businesses identify and manage risks in their vendor networks—it was also to ensure that we weren’t contributing to those risks. 

From day one, we designed Black Kite to be as secure as possible, embedding security into every layer of our platform, just like our solution helps companies do with their own vendors.

So when the opportunity to sign the CISA Secure by Design Pledge came around last year, it felt like a natural step for us. The pledge aligns perfectly with the principles we’ve followed since the beginning—building secure software that protects not only our customers but also the broader digital ecosystem. By committing to this initiative, we reinforced our dedication to putting security at the forefront of everything we do. 

Taking the CISA Secure by Design Pledge

Recently, we joined more than 200 tech companies in signing CISA’s Secure by Design Pledge. For Black Kite, signing the pledge wasn’t about making a drastic shift; it was about publicly affirming what we’ve practiced for the past eight years. As a Chief Information Security Officer (CSO) who joined in 2019, I was thrilled to join a company whose product was already well-established, with many proactive security measures in place. 

I recently sat down with co-founder and Chief Technology Officer Candan Bolukbas to discuss how Black Kite’s security-first approach already aligns with the tenets of the pledge, underscoring our commitment to helping businesses protect themselves from third-party risks.

The pledge requires us to meet seven key security goals within the year following signature. That would be daunting for many companies of our size, but it was a no-brainer for me and our leadership team.

For one, the seven goals outlined in the pledge align well with several compliance frameworks we had already embraced at Black Kite, including ISO 27001, SOC 2, and FedRAMP. Moreover, we have already adopted many essential security best practices that map to the pledge, like using MFA and avoiding default passwords in our software. 

While compliance frameworks and pledges like CISA’s are designed to improve security, any CISO worth their salt will tell you that checking the boxes on a compliance audit or pledge does not mean you are fully secure. We’ve always considered it a goal to be one step ahead of the “bad guys” and remain on the cutting edge of defensive and offensive security.

Today, I want to share some foundational principles built into Black Kite and how we have evolved our security practices. Our goal, of course, is not just to tick the boxes on the pledge, but to uphold and demonstrate our commitment to security — for all of our stakeholders, from employees to customers to investors. 

Black Kite’s Secure by Design Roots

One of the most unusual facets of Black Kite’s culture is the security knowledge and expertise in our C-Suite. Our CEO, CTO, CSO (myself), and COO all have backgrounds in security; in fact, our COO is a former CISO himself. 

This isn’t something that every business can replicate. But it’s part of the reason we’ve had such success with building a secure-by-design organization and product. Everyone in the C-Suite has bought into the importance of security from day one.

This has reinforced for me that the culture of security is just as important as the tools, processes, and people who make security happen. 

Let’s face it: The role of CISO is a challenging job. That’s true even when you have access to Fortune 500 resources. For one thing, the security talent shortage continues to plague every industry, meaning that even large companies rarely have sufficient personnel for security. Meanwhile, the threat landscape shifts faster every year — now at an exponential rate, thanks to AI — meaning that CISOs only have to deal with more risk as time passes. And, unfortunately, when a breach happens, whether it was the CISO’s fault or not, they are often scapegoated. 

With this pressure in mind, I always say educating the team about security is 90% of the battle. Fortunately, at Black Kite’s highest levels, I haven’t had to educate; rather, I’ve had partners who support my vision without hesitation. Again, this isn’t a luxury every business has. But it’s key to understand that culture and education lay the foundation for security.

In addition to this culture of security, the founders of Black Kite, as I mentioned earlier, believe deeply in security by design. Our CTO, in particular, brings a background as an “offensive” security practitioner to bear on his vision for Black Kite. Candan served as a network and security administrator and then a security manager for the government of Turkey. He also served as a Certified Ethical Hacker (CEH) for NATO, testing the security posture of many global organizations. 

As a co-founder of Black Kite, Candan has spearheaded the effort to ensure security across our culture, systems, and code. Black Kite’s software has been built with secure-by-design principles from the very beginning. And Candan and the rest of the executive team have been true partners to me, making my job easier because they already fully grasp the importance of what a CISO does.

Before I joined Black Kite (at the seed stage, so very early in the company’s journey), the team had already implemented measures like:

• Information security policies
• Multi-factor authentication
• Implementation of third-party risk monitoring (TPRM)

Candan and the team embraced these practices, not just because they were building a security platform but because they knew first-hand the repercussions of operating insecurely.

Black Kite and the CISA Secure by Design Pledge

As I mentioned, when we were invited to take the CISA Secure by Design Pledge, I had no hesitations. Here are the core aspects of the Secure by Design Pledge and how we implement them at Black Kite today:

1. Multi-Factor Authentication

The CISA pledge asks signers to implement MFA across as much of their environment as possible. At Black Kite, we have implemented and enforced MFA since 2017 via Google Authenticator. We enforce MFA for all federal clients and privileged accounts. Black Kite customers can also enable their personal MFA in conjunction with established MFA. 

Candan implemented MFA early on at Black Kite because of several career experiences. When he worked for the Counter Cyber Terrorism Task Force, he and the red teams there would often employ brute forcing to test defenses. When they found open, remote administrative ports, they would search the dark web for leaked credentials, then use those to gain access and attempt lateral movement.

MFA is a key countermeasure to prevent the success of similar attacks. Attackers need access to at least two different authentication sources to succeed with a brute-force attack. Authenticator tools are an ideal MFA component since their short-lived, one-time codes make it even harder for attackers to succeed with password-based attacks.

2. Default Passwords

Many development and production environments use default passwords. CISA’s pledge requires organizations to minimize the use of default passwords to close off this attack surface. Black Kite does not use default passwords in any development or production environments. All access is based on actual user accounts. 

This means even if a bad actor gained entry to a system, they could not use default passwords to expand their footprint within it. This quickly stops much of the fallout from a successful breach.

3. Reducing Entire Classes of Vulnerability

This pledge component involves improving vulnerability management to reduce risk over time.

Early on, Black Kite adopted the widely-known Patch Tuesday — implementing patches for known vulnerabilities on the second Tuesday of every month. When I joined the team, we expanded our countermeasures to include regular vulnerability scanning using several tools and services. 

In addition, our architecture team is working towards implementing least privilege access across the company and our product. We are also empowering developers to build more securely. We monitor our Jira ticketing system for vulnerabilities, and our metric for measuring reduction is a decline in tickets created.

4. Security Patches

By signing the pledge, organizations agree to work on increasing the use of patches by their customers and users. 

At Black Kite, our customers are responsible for performing systems security patching on their own platforms. To support them, Black Kite performs independent penetration testing on its code, and any identified defects are repaired in development and then released as patches.

5. Vulnerability Disclosure Policy

This part of the pledge requests teams to produce a vulnerability disclosure policy, permit anyone to disclose vulnerabilities without repercussions, provide a channel for reporting them, and allow public disclosure in line with global standards. 

Black Kite practices full disclosure with our customers. If Black Kite were to experience an intrusion, customers would have access to gather evidence. In my experience, this level of maturity is fairly rare for a company of our size and age. 

In addition, we have a Trust center, found at trust.blackkite.com, where anyone can learn more about our commitment to security and request a SOC 2 report or penetration test results. 

6. CVEs

CVEs, or common vulnerabilities and exposures, is a system used to identify and track vulnerabilities in software and systems. The pledge asks signers to demonstrate transparent reporting of vulnerabilities.

Black Kite identifies its own CVEs through independent penetration tests. While Black Kite does not publish its CVEs publicly, we do make our penetration test results available to customers on request.

Additionally, anyone can visit Black Kite’s Trust Center for more detailed security control and process information. Any stakeholder may request our SOC 2 report and proof of compliance with other well-known standards.

7. Evidence of Intrusions 

Finally, the CISA pledge calls on organizations to enable customers to gather evidence of intrusions within their products. At Black Kite, we fully embrace this level of transparency. Should an intrusion occur, we have a clear process in place that allows customers to collect relevant forensic data directly from our systems. This ensures they can take necessary action to protect their own environments.

In addition, Black Kite provides customers with access to detailed logs, incident reports, and audit trails upon request so they can perform their own incident investigations. We believe that empowering our customers with the right tools and information is essential to maintaining trust and ensuring that both parties can respond swiftly and effectively to any potential threats.

Startups and Security Maturity

While working at a startup or scale-up can sometimes be seen as a disadvantage when it comes to security, there are some unique advantages at play these days. For example, many investors now seek evidence of security policies and controls before funding companies. Customers are also increasingly savvy about security, in part due to measures like CISA’s pledge. In other words, there are many incentives today to “do the right thing” regarding security. 

One of the other major advantages that startups and scale-ups have is their ability to build security processes from the ground up rather than retrofitting them into legacy systems. Startups can often move more quickly to adopt new security technologies and practices without being slowed down by outdated infrastructures or bureaucratic hurdles. At Black Kite, we took full advantage of this agility. From day one, security wasn’t just something we added on after our product matured—it was a core part of our design and architecture.

As a third-party vulnerability management platform, Black Kite’s customers naturally request to see proof of our own security posture. We make this available through our Trust Center, where customers can access critical resources, including our SOC 2 Type II report, ISO 27001:2022 certificate, and a summary of penetration tests. Additionally, our platform leverages trusted subprocessors like Google Cloud to ensure the highest levels of data protection.

Black Kite’s Trust Center also showcases our extensive security controls, including encryption, access restrictions, and disaster recovery plans, all of which are updated regularly to reflect our ongoing commitment to secure operations. This transparency allows our customers to verify our security posture and gives them confidence that we’ve built our platform with secure-by-design principles from the very beginning.

As a CISO, I feel fortunate to be part of a scale-up business that takes security seriously. While signing the CISA pledge is neither the beginning nor the end of our security efforts, it’s an important way to join forces with other organizations and demonstrate our shared commitment to security.

Visit our Trust Center to learn more about our security practices, access compliance certifications like SOC 2 and ISO 27001, and review key resources like our Pentest Summary and Information Security Policy. You can also explore our security controls and infrastructure details or request access to additional documentation of our commitment to transparency and secure-by-design principles.