The U.S. Cybersecurity and Infrastructure Security Agency along with its counterpart agencies from several different countries have published a new guide urging software manufacturers to take steps to ship products that are built with security from the ground up.
The guidance, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, comes in the wake of several high-profile supply chain attacks and as CISA’s Known Exploited Vulnerabilities list continues to grow. Essentially, CISA and its partners hope to flip software development on its head and prioritize security over speed.
Specifically, the document urges software manufacturers to prioritize security “as a critical prerequisite to features and speed to market.”
The document calls for investments and “cultural shifts” that achieve a secure software development future, and it outlines several core principles to guide software makers in building security into their design processes prior to developing, configuring and shipping their products.
Those core principles include shifting the burden of security from the customers by taking ownership of the security outcomes of technology products. A secure configuration should be the default baseline, and software should automatically enable the most important security controls to protect customers from attacks.
In addition, the guidance calls on software manufacturers to “embrace radical transparency and accountability,” which includes ensuring vulnerability advisory records are complete and accurate.
Agencies also urge tech companies to embrace this thinking from the top down by building providing executive-level commitment for security prioritization.
Specific recommendations include shipping products that require admins to set strong passwords upon configuration, single sigg-on, using memory-safe programming languages and other measures.
CISA Director Jen Easterly says in a statement that software manufacturers must integrate security into the earliest phases of design to protect technology ecosystems.
“These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users,” Easterly says. “As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
