CISA initiates the next stage of Secure by Design, aiming to drive software security standards worldwide within the industry
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Secure by Design guidance, focusing on ensuring technology products come pre-configured with strong security defaults. This shift aims to transfer the responsibility for security from end-users and under-resourced IT teams to product developers and executives who can best manage risk.
Key aspects of CISA’s Secure by Design approach include hardened defaults, Infrastructure as Code (IaC) security, signed and verified software artifacts, memory-safe development languages, and built-in secure workflows. These measures are designed to strengthen the security of technology products, making them more resilient against cyber threats.
CISA urges software manufacturers to provide evidence of security incorporation in their products through the use of artifacts. This includes container images and third-party packages that include signed attestations and Software Bills of Materials (SBOM) to assure what software components are included.
The revised guidance also addresses the issue of the technology industry focusing on speed to market, driving down costs, and adding cool features instead of emphasizing security. CISA Director Jen Easterly pointed out this misalignment of incentives during a panel discussion at the Singapore International Cyber Week conference.
In practice, this means organizations developing software should embed security from requirements and design through development, testing, and release. They should provide default secure configurations and necessary security controls by default, maintain transparent and auditable supply chains through signed software components, use secure development tools and practices, and integrate automated security checks throughout Continuous Integration/Continuous Deployment (CI/CD) workflows.
The Biden administration's national cybersecurity strategy also calls for technology firms to incorporate secure by design concepts into their development process. Plans have been signaled to go to Congress to enforce these ideas into law.
Notably, Microsoft has entered a partnership with CISA to end its policy of charging customers for security logs. The attack against Microsoft, linked to suspected state-backed hackers from China, highlighted the need for default security and led to thousands of State Department and other government emails being stolen.
The updated guidance includes language on how security needs to apply to artificial intelligence software. The strategy's core tenet is to ensure that the technology industry is accountable for making sure security is built into their products at the development stage, reducing avoidable risks and security vulnerabilities early in the product development lifecycle.
CISA plans to issue a request for information regarding Secure by Design engineering in the near future to gather more insights and feedback from the industry. By adopting CISA’s Secure by Design guidance, software and technology products become more resilient against cyber threats, reduce dependency on manual security configurations by users, and contribute to overall improved security postures across sectors.
[1] White House, Office of the Press Secretary. (2021, May 12). Executive Order on Improving the Nation's Cybersecurity. Retrieved September 12, 2022, from https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[2] National Institute of Standards and Technology. (n.d.). NIST Secure Software Development Framework (SSDF). Retrieved September 12, 2022, from https://www.nist.gov/itl/cybersecurity/nist-secure-software-development-framework-ssdf
[3] Cybersecurity and Infrastructure Security Agency. (n.d.). Secure by Design. Retrieved September 12, 2022, from https://www.cisa.gov/securebydesign
[4] The White House. (2021, May 12). Fact Sheet: Executive Order on Improving the Nation's Cybersecurity. Retrieved September 12, 2022, from https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-executive-order-on-improving-the-nations-cybersecurity/
- The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that software developers should embed security from the design stage throughout development, testing, and release of technology products to enhance cybersecurity and privacy.
- In light of the Biden administration's national cybersecurity strategy, technology companies are encouraged to incorporate Secure by Design principles, focusing on stronger cybersecurity, privacy, and accountability for their products.
