Working on shifting balance of cybersecurity risk, adopting principles for security-by-design and security-by-default

With the release of the joint guidance by multiple global security agencies to move the cybersecurity risk using the principles and approaches for security-by-design and security-by-default, software manufacturers must revamp their design and development programs. To accomplish a high standard of software security, the authoring agencies encourage manufacturers to prioritize the integration of product security as a critical prerequisite to features and speed to market. Over time, engineering teams will be able to establish a new steady-state rhythm where security is truly designed-in and takes less effort to maintain. 

“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts,” the document outlined. “Secure-by-Default products are those that are secure to use ‘out of the box’ with little to no configuration changes necessary and security features available without additional cost.” The guidance, published by a group of nine global security agencies, intends to raise awareness and facilitate international conversations about key priorities, investments, and decisions necessary to manufacture technology that is safe, secure, and resilient.

Together, the guidance added that these two principles move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues. Apart from specific technical recommendations, the guidance outlines several core principles to guide software manufacturers in building software security into their design processes before developing, configuring, and shipping their products.

The guidance has been authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) along with the Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), U.K.’s National Cyber Security Centre (NCSC-UK), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ).

The concept of security-by-design identifies that technology products are built in a way that reasonably protects against malicious cyber actors gaining access to devices, data, and connected infrastructure. Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems and then include protections in product blueprints that account for the evolving cyber threat landscape. Secure-by-design principles strengthen the security posture for customers and brand reputation for developers, while also lowering maintenance and patching costs for manufacturers in the long term. 

Secure information technology (IT) development practices and multiple layers of defense, known as defense-in-depth, are also recommended to prevent adversary activity from compromising systems or obtaining unauthorized access to sensitive data. The authoring agencies recommend manufacturers use a tailored threat model during the product development stage to address all potential threats to a system and account for each system’s deployment process. The authoring agencies urge manufacturers to take a holistic security approach to their products and platforms. 

Secure-by-design development requires the investment of significant resources by software manufacturers at each layer of the product design and development process that cannot be ‘bolted on later, the guidance disclosed. “It requires strong leadership by the manufacturer’s top business executives to make security a business priority, not just a technical feature. This collaboration between business leaders and technical teams extends from the early stages of design and development, through customer deployment and maintenance,” it added. 

Manufacturers are encouraged to make hard tradeoffs and investments, including those that will be ‘invisible’ to the customers, such as migrating to programming languages that eliminate widespread vulnerabilities. They should prioritize features, mechanisms, and implementation of tools that protect customers rather than product features that seem appealing but enlarge the attack surface. 

The guidance said that there is no single solution to end the persistent threat of malicious cyber actors exploiting technology vulnerabilities, and products that are secure-by-design will continue to suffer vulnerabilities; however, a large set of vulnerabilities are due to a relatively small subset of root causes. “Manufacturers should develop written roadmaps to align their existing product portfolios with more Secure-by-Design practices, ensuring to only deviate in exceptional situations. The authoring agencies acknowledge that taking ownership of the security outcomes for customers and ensuring this level of customer security may increase development costs,” it added. 

However, investing in secure-by-design practices while developing new technology products and maintaining existing ones can substantially improve the security posture of customers and reduce the likelihood of being compromised. 

Security-by-default represents that the products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Security-by-default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

Security-by-default products automatically enable important security controls needed to protect enterprises from malicious hackers and provide the ability to use and further configure security controls at no additional cost. Additionally, the complexity of security configuration should not be a customer problem. Organizational IT staff are frequently overloaded with security and operational responsibilities, thus resulting in limited time to understand and implement the security implications and mitigations required for a robust cybersecurity posture.

Through optimizing secure product configuration and securing the ‘default path,’ manufacturers can aid their customers by ensuring their products are manufactured, distributed, and used securely under security-by-default standards. Manufacturers of products that are security-by-default do not charge extra for implementing additional security configurations. 

The authoring agencies call for the use of secure-by-design tactics, including principles that reference Secure Software Development Framework (SSDF) practices, also known as the National Institute of Standards and Technology’s (NIST) SP 800-218. These practices are a core set of high-level secure software development practices that can be integrated into each stage of the software development lifecycle (SDLC). Software manufacturers should develop a written roadmap to adopt more secure-by-design software development practices across their portfolios.

The roadmap best practices include memory-safe programming languages which prioritize the use of memory-safe languages wherever possible. It also suggests incorporating architectural features that enable fine-grained memory protection, such as those described by Capability Hardware Enhanced RISC Instructions (CHERI) that can extend conventional hardware instruction-set architectures (ISAs).

It also suggests acquiring and maintaining well-secured software components from verified commercial, open source, and other third-party developers to ensure robust security in consumer software products. It also calls for using web template frameworks that implement automatic escaping of user input to avoid web attacks such as cross-site scripting. It also recommends using parameterized queries rather than including user input in queries, to avoid SQL injection attacks.

The guidance also suggests code review that strives to ensure that code submitted into products goes through peer review by other developers to ensure higher quality. It also incorporates the creation of a Software Bill of Materials (SBOM) to provide visibility into the set of software that goes into products. It also encourages establishing vulnerability disclosure programs that allow security researchers to report vulnerabilities and receive legal safe harbor in doing so. 

It also suggests using defense-in-depth design infrastructure so that the compromise of a single security control does not result in the compromise of the entire system. It also called for satisfying CISA’s Cyber Performance Goals (CPGs) by designing products that meet basic security practices. These CPGs outline fundamental, baseline cybersecurity measures organizations should implement.

The agencies recognize that these changes are significant shifts in an organization’s posture. As such, their introduction should be prioritized based on criticality, complexity, and business impact. These practices can be introduced for new software and incrementally expanded to cover additional use cases and products. In some cases, the criticality and risk posture of a certain product may merit an accelerated schedule to adopt these practices. In others, practices can be introduced into a legacy codebase and remediated over time. 

When it comes to security-by-default, authoring agencies recommend software manufacturers prioritize configurations in their products. These should strive to update products to conform to these practices as they are refreshed. For example, products should not come with default passwords that are universally shared. To eliminate default passwords, the authoring agencies recommend products that require administrators to set a strong password during installation and configuration. They must also mandate multi-factor authentication (MFA) for privileged users.  

The guidance also suggests that IT applications should implement single sign-on technology using modern open standards. The capability should be made available by default at no additional cost. They must also provide high-quality audit logs to customers at no extra charge. Audit logs are crucial for detecting and escalating potential security incidents. They are also crucial during an investigation of a suspected or confirmed security incident. 

Furthermore, the document suggests that software suppliers should provide recommendations on authorized profile roles and their designated use cases. Manufacturers should include a visible warning that notifies customers of the increased risk if they deviate from the recommended profile authorization. It also called for reducing the size of ‘hardening guides’ produced for products and striving to ensure that the size shrinks over time as new versions of the software are released. 

The authoring agencies acknowledge these changes may have operational effects on how the software is employed. Thus, customer input is critical in balancing operational and security considerations. The authoring agencies believe that developing written roadmaps and executive support that prioritize these ideas into an organization’s most critical products is the first step to shifting towards secure software development practices, the guidance said. “While customer input is important, the authoring agencies have observed important cases where customers have been unwilling or unable to adopt improved standards, often network protocols,” it added.

Technology manufacturers and organization executives are called upon to prioritize the implementation of security-by-design and security-by-default principles outlined in the report.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.