7 countries unite to push for secure-by-design development

Ten agencies from across seven countries have joined forces to create a guide for software developer organizations to ensure their products are both secure by design and by default. The joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, comes after several recently identified critical vulnerabilities in vendor software. In April, The United States Cybersecurity and Infrastructure Security Agency (CISA) published seven advisories covering vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software from multiple vendors, including critical vulnerabilities. A few weeks prior, the agency had also issued advisories on 49 vulnerabilities in eight ICS from providers including Delta Electronics, Hitachi, Keysight, Rockwell, Siemens, and VISAM.

The collaborating agencies are:

• The Australian Cyber Security Centre (ACSC)
• The Canadian Centre for Cyber Security (CCCS)
• Germany’s Federal Office for Information Security (BSI)
• Netherlands’ National Cyber Security Centre (NCSC-NL)
• New Zealand’s Computer Emergency Response Team New Zealand (CERT NZ) and National Cyber Security Centre (NCSC-NZ)
• The United Kingdom’s National Cyber Security Centre (NCSC-UK)
• The US’s CISA, Federal Bureau of Investigation (FBI), and National Security Agency (NSA).

Secure by design versus secure by default

The guidance defines products secure by design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-design products start with that goal before development starts. Products secure by default are those that are secure to use out of the box with little to no configuration changes necessary and security features available without additional cost.

These approaches, the agencies believe, remove much of the security burden away from the customer and reduces chances of them falling victims to security incidents.

The technology developer’s role

Every technology manufacturer should build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. “Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes,” stated the guidance.

The agencies urged technology developers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.  One way to achieve that, the document suggests, is for systems’ developers migrate to programming languages that eliminate widespread vulnerability rather than focusing on product features that seem appealing but increase the risk of an attack.

“Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer,” UK National Cyber Security Centre CEO Lindy Cameron said in a statement. We call on technology manufacturers to familiarise themselves with the advice in this guide and implement secure-by design and by-default practices into their products to help ensure our society is secure and resilient online.” 

Businesses must make technology vendors accountable for security of products

Part of the guidance includes recommendations for CISOs and technology buyers and how to help protect their businesses. The guidance recommends organizations hold their technology suppliers accountable for the security of their products. This should be done by prioritizing the purchase of what the guidance previously described as secure-by-design and secure-by-default products. It suggests this be done by establishing policies requiring that IT departments assess the security of manufacturer software before it is purchased, as well as empowering IT departments to push back if necessary. “IT departments should be empowered to develop purchasing criteria that emphasize the importance of secure-by-design and secure-by-default practices.”

The guidance goes further and recommends IT should have the support of executive management when enforcing these criteria. “Organizational decisions to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the board of directors.”

The security posture of the organization should be seen as critical, including enterprise network, identity and access management and security and response operations. Organizations should reinforce the importance of security of products both formally via contracts with vendors and informally via building a long-term partnership where the buyers know how the vendor works to ensure security of products.

Keep a relationship with peers to be informed on best products and services with secure design but also to create a united front giving feedback to technology vendors. When it comes to cloud security technology buyers must understand both the providers’ responsibility and the organizations’.  “Insecure technology products can pose risks to individual users and our national security,” NSA cybersecurity director Rob Joyce said in a statement. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see.”

The agencies seek feedback by email on the guidance from interested parties on key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.