On Tuesday, the Cybersecurity & Infrastructure Security Agency (CISA) released the second iteration of their Secure by Design plan, “Secure by Design-Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” CISA Director Jen Easterly announced the updated guidance at the Singapore Cyber Week conference. Earlier this year in April, CISA unveiled their first whitepaper on this topic, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.” After a listening tour, commentary, feedback, and partnering with seventeen U.S. and international agencies, CISA provided updated guidance which expanded principles and emphasized manufacturer’s ownership of software security.
Quick Recap of April 2023 Guidance
The first whitepaper focused on creating voluntary guidelines for software and technology manufacturers to follow to improve cybersecurity with the goal of building in more secure practices from the start. “Secure by design” is the concept of including security protection in the blueprint of product development by identifying weaknesses malicious actors may exploit and mitigating those risks. CISA seeks to reduce the need for patches and fixes after products are manufactured by creating these voluntary guidelines. “Secure by default” is the concept that products are resilient against common exploit techniques without end users needing to take additional steps to secure their product.
Among other things, the April 2023 whitepaper recommends that manufacturers/developers: (1) establish a vulnerability disclosure program that offers safe harbor for those who identify vulnerabilities; (2) segment security controls to mitigate the impact of compromised accounts or access points; (3) implement single sign-on technology for IT applications; (4) eliminate default passwords; and (5) mandate multifactor authentication.
The Updated October 2023 Guidance
CISA’s updated whitepaper, while staying true to its original purpose, reflects feedback from the community after the initial publication. The new guidance expands on the original’s key principles and provides additional recommendations for how manufacturers can demonstrate their commitment to those principles. Perhaps most significantly, the second iteration provides that the principles and recommendations also apply to Artificial Intelligence (AI) model developers.
Principle 1: Take Ownership of Customer Security Outcomes
Software manufacturers should invest in product security that includes application hardening, application features, and default settings. Recommendations under this principle focus on security by default, secure product development practices, and pro-security business practices.
Recommendations
- Eliminate default passwords
- Conduct field tests
- Reduce hardening guide size
- Discourage use of unsafe legacy features
- Implement noticeable alerts
- Create sure configuration templates
- Conform to a secure software development lifecycle (SDLC) framework
- Create cybersecurity performance goals
- Implement vulnerability management programs
- Responsibly use open-source software
- Provide security defaults for developers
- Foster a software developer workforce
- Incorporate security information and event management (SIEM) and (security orchestration, automation, and response (SOAR) technologies
- Align with zero trust architecture
Principle 2: Embrace Radical Transparency and Accountability
Software manufacturers should be transparent for the benefit of customers and the industry. This includes information sharing between peer organizations both in prevention and detection of attacks. This principle focuses on information exchange aiming to raise standards across the industry.
Recommendations
- Publish relevant security statistics, trends, patching, and other data
- Establish internal security controls
- Publish high-level threat models and detailed secure SDLC self-attestations
- Embrace vulnerability transparency
- Publish software bills of materials and vulnerability disclosure policies
- Name a secure by design sponsor
- Publish a secure by design roadmap, a memory-safety roadmap, and results
Principle 3: Build Organization Structure and Leadership to Achieve These Goals
Secure by design must be a business priority for software manufacturers by creating internal incentives and fostering a security-minded culture. Further, the guide suggests incorporating security as a facet of product quality and the evolving idea of corporate cyber responsibility. This principle recommends internal actions executive leadership can undertake to promote cybersecurity as a priority.
Recommendations
- Include secure by design program in corporate financial reports
- Provide regular reports to board of directors
- Empower a secure by design officer and committee
- Create internal incentives
- Establish customer councils
In addition to the expanded principles and recommendations, the guide provides more technical recommendations for implementing secure by design and secure by default practices. While everything in this guide is a “recommendation”—and CISA has no direct regulatory authority at this time—companies that develop software and connected devices should carefully review CISA’s advice. In-house product counsel, in particular, should focus on these recommendations and ensure that business teams are taking them into account throughout the product lifecycle. Few of these principles are “law,” but the test of “reasonableness” in security practices demands that security not be an afterthought; security should be by design.
