Cyber security agencies in the Five Eyes nations and others are putting pressure on software vendors to improve product security and transparency.
Announcing a joint guidance late last week, four North American agencies joined with organisations in Australia, Canada, the UK, New Zealand, the Netherlands and Germany to call for software to be made “secure by design” and “secure by default”.
In a reversal of the onus the tech sector has practiced for decades, that emphasised the user’s role in keeping products secure, the joint announcement said software vendors should “take ownership of the security outcomes of their technology products, shifting the burden of security from the customers”.
“A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors,” the announcement stated.
The NSA’s cyber security director Rob Joyce called insecure technology products a risk to national security as well as to individual users.
“If manufacturers consistently prioritise security during design and development, we can reduce the number of malicious cyber intrusions we see,” he added.
“The international coalition partnering on this report speaks to the importance of this issue.”
The partners also call for “radical transparency and accountability”: not only should vendors take part in vulnerability disclosure programs, “advisories and associated common vulnerability and exposure (CVE) records” should be “complete and accurate.”
As explained in the guidance document [pdf], the aim is to “break the vicious cycle of creating and applying fixes”.
Security by design is defined in the document as a product that is “built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure”.
“Secure-by-Default” means products are resilient against prevalent exploitation techniques
out of the box without additional charge, the guidance document said, including warning consumers if they “deviate from safe defaults”.
