Global security agencies update secure by design principles and guidance for technology providers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with 17 U.S. and international partners, released Monday an updated ‘Secure by Design’ principles joint guide. The document included expanded principles and guidance for technology providers to increase the safety of their products used around the world, while also offering additional insights into essential principles and guidance and has been endorsed by eight more international cybersecurity agencies.
The updated guidance ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,’ urges software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers.
Along with the CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ), who co-sealed the initial version. The updated guidance benefitted from insights and partnerships with cybersecurity agencies in the Czech Republic, Israel, Singapore, Korea, Norway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC).
The document builds on the April 2023 release by a bunch of global security agencies and includes feedback received from a large number of individuals, companies, and non-profit organizations. It expands on the three principles which are ‘Take Ownership of Customer Security Outcomes,’ ‘Embrace Radical Transparency and Accountability,’ and ‘Lead From the Top.’
The update highlights how software manufacturers can demonstrate these principles to their customers and the public. Software manufacturers must be able to compete on the basis of security. The joint guidance equips software manufacturers with the tools to demonstrate their commitment to secure by design, and gives customers the means to evaluate their progress, creating a demand signal for secure by design.
“The most common request in the feedback was to provide more detail on the three principles as they apply to both software manufacturers and their customers,” the updated document outlined. “In this document, we expand on the original report and touch on other themes such as manufacturer and customer size, customer maturity, and the scope of the principles.”
“Software is everywhere and no single report will be able to adequately cover the entire range of software systems, development of software products, customer deployment and maintenance, and integration with other systems,” according to the document. “For guidance below that does not clearly map to a particular environment, we look forward to hearing from the community how the practices described in this paper led to particular security improvements. This report applies to manufacturers of artificial intelligence (AI) software systems and models as well. While they might differ from traditional forms of software, fundamental security practices still apply to AI systems and models.”
It added that some secure-by-design practices may need modification to account for AI-specific considerations, but the three overarching secure-by-design principles apply to all AI systems.
The agencies said that they recognize that transforming a software development lifecycle (SDLC) to align with these secure-by-design principles is not a simple task and may take time. “Further, smaller software manufacturers may struggle to implement many of these suggestions. We believe that the software industry needs to make widely available the tools and procedures that make products safer. As more people and organizations focus their attention on software security improvements, we believe there is room for innovations that will narrow the gap between larger and smaller software manufacturers to the benefit of all customers,” they added.
Additionally, this update to the original secure by design report “is part of our commitment to building partnerships with the many interconnected stakeholder communities that underpin our technological ecosystem. It is the result of feedback from many parts of that ecosystem, and we will continue to listen and learn from perspectives. Although there are many challenges ahead, we are incredibly optimistic as we learn more about people and organizations that have already adopted a secure-by-design philosophy, often with success.”
The updated guidance document calls upon manufacturers to make hard tradeoffs and investments, including those that will be ‘invisible’ to the customers (e.g., migrating to programming languages that eliminate widespread vulnerabilities). “They should prioritize the features, mechanisms, and implementation of tools that protect customers rather than product features that seem appealing but enlarge the attack surface. There is no single solution to end the persistent threat of malicious cyber actors exploiting technology vulnerabilities, and products that are ‘secure by design’ will continue to suffer vulnerabilities; however, a large set of vulnerabilities are due to a relatively small subset of root causes.”
Additionally, manufacturers should develop written roadmaps to align their existing product portfolios with more secure by design practices, ensuring to only deviate in exceptional situations. The authoring organizations acknowledge that taking ownership of the security outcomes for customers and ensuring this level of customer security may increase development costs.
However, investing in secure by design practices while developing ‘innovative’ technology products and maintaining existing ones can substantially improve the security posture of customers and reduce the likelihood of compromise. Secure by design principles strengthens the security posture for customers and brand reputation for developers, as well as lowers maintenance and patching costs for manufacturers in the long term.
“I am extremely proud of the expansive, insightful, and aligned U.S. and international partnerships that have come together with a shared vision of a future in which technology products are secure by design,” Jen Easterly, CISA director, said in a media statement. “Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure by design principles.”
Easterly added that to achieve the National Cybersecurity Strategy’s goal of rebalancing responsibility in cyberspace, ‘customers need to be able to demand more from their vendors – and this joint guidance gives them the tools to do exactly that.’
“We appreciate the cooperation with CISA and other international partners on this joint output. Within the EU, the Cyber Resilience Act seeks to reinforce product security and consumers´ safety,” Lukáš Kintr, director of the National Cyber and Information Security Agency of the Czech Republic, said. “In a globally interconnected and technology-driven world, our collective endorsement of Security by Design approach aims to strengthen our resilience and protection of our citizens and critical infrastructure across the continents.”
“’Security by Design’ is a change in the paradigm of cybersecurity responsibility between the stakeholders. INCD would like to see the shift of responsibility from the end-user to the manufacturers and service providers. In the modern world, cybersecurity is a basic commodity, like water, energy, and environmental protection; hence- it should be secure by design and by default,” according to Gaby Portnoy, director general of the INCD. “INCD is proud to take part in CISA’s publication of this product, which we see as critical step towards a secure and resilient technology for all customers. INCD will encourage manufacturers in the Israeli market to adopt this guidance.”
“Security by design and default are essential principles to secure the technologies that have permeated our daily lives. Technology manufacturers should be intentional about ensuring that cybersecurity is a key aspect of product development from the start, such that their products are inherently safe and secure for all users,” said David Koh, commissioner of cybersecurity and chief executive at Cyber Security Agency of Singapore. “Security should not be an “optional extra”. CSA is proud to collaborate with CISA and other partner agencies to develop the guide on Security by Design. CSA strongly encourages its adoption.”
“Cyberattacks resulting from software vulnerabilities are continuously increasing, and given their significant impact, secure management of these vulnerabilities is crucial. In Korea, there are actual cases where specific attack groups held multiple vulnerabilities in widely used solutions, and these vulnerabilities were exploited for attacks,” said Vice President Choi, Kwang Hee of KISA and head of KrCERT/CC. “Reviewing this guide has given us insight into the perspectives of international affiliated agencies. To ensure the secure development of domestic software products, we also plan to release a Korean version.”
“Products and services that are Secure by Design make up keystones in our common cyber resilience. This concept improves the quality of our guidance and advisories by incorporating elements such as zero trust and software supply chain risk management”, said Martin Albert-Hoff, director of The Norwegian National Cyber Security Centre. “The NCSC NO are proud to work together with CISA and the other partner agencies, and this cooperation contributes to strengthen cyber resilience in today’s unpredictable global situation.”
“Successful results in the cybersecurity field can only be achieved in a collaborative manner. We are therefore delighted to contribute to this guide with the experience accumulated in the OAS/CICTE CSIRTAmericas Network, which brings together government Computer Security Incident Response Teams (CSIRTs) from 21 countries of the Americas and promotes the exchange of valuable information among them,” said Alison August Treppel, executive secretary at the Inter-American Committee Against Terrorism of the Organization of American States. “Aligned with the Network’s experience, this guide recognizes the need for technology manufacturers, and CSIRTs as well, to shift from a reactive mindset to a model of continuous measurement and improvement of risk mitigation services.”
Treppel added that this guide serves as a clear example of the work the OAS has been conducting over the last 20 years, and will continue to do, to support member states in strengthening their cybersecurity capabilities and building a more secure, resilient, and open cyberspace for all.
“The concept of Security by Design was already incorporated in Japan’s Cybersecurity Strategy (hereafter referred to as the Japanese strategy). This updated guidance gives shape of the concept of Security by Design, and comes into alignment with the Japanese strategy,” said Atsuo Suzuki, director general at the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). “We are pleased with joint sealing of this updated guidance, which contributes to the implementation of concrete measures based on the Japanese strategy.”
The guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expand international conversation about key priorities, investments, and decisions; and deliver a future where technology is safe, secure, and resilient by design. Recognizing that many private sector partners have made invaluable contributions toward advancing secure-by-design and provided input to this update, the authoring agencies are actively seeking more feedback on this new version of the joint guide.
The authoring organizations recommend organizations hold their supplying software manufacturers accountable for the security outcomes of their products. As part of this, the authoring organizations recommend that executives prioritize the importance of purchasing secure by design and secure by default products.
The updated document recognizes that security should be a critical element of such relationships and organizations should strive to reinforce the importance of secure by design and secure by default practices in both the formal (e.g., contracts or vendor agreements) and informal dimensions of the relationship. Organizations should expect transparency from their technology suppliers about their internal control posture as well as their roadmap towards adopting secure by design and secure by default practices.
In addition to making secure-by-default a priority within an organization, IT leaders should collaborate with their industry peers to understand which products and services best embody these design principles. These leaders should coordinate their requests to help manufacturers prioritize their upcoming security initiatives.
By working together, customers can help provide meaningful input to manufacturers and create incentives for them to prioritize security, the guidance identified. “When leveraging cloud systems, organizations should ensure they understand the shared responsibility model with their technology supplier. That is, organizations should have clarity on the supplier’s security responsibilities rather than just the customer’s responsibilities. Organizations should prioritize cloud providers that are transparent about their security posture, internal controls, and ability to live up to their obligations under the shared responsibility model,” it added.
Last week, the U.S. CISA, FBI, NSA, and U.S. Department of the Treasury released new guidance for senior leadership and operations personnel at operational technology (OT) vendors and critical infrastructure facilities. The fact sheet will assist with better management of risk from open source software (OSS) use in OT products and increase resilience using available resources.
Related
