Blog

CISA's Secure By Demand: Improving Product Security During Software Procurement

Supply chain security is the intersection of enterprise cybersecurity and third-party product security. Enterprise security focuses on protecting a company's internal infrastructure and daily operations from threats. It encompasses measures like firewalls, intrusion detection systems, data encryption, and employee training to safeguard sensitive information, ensure business continuity, and maintain compliance with regulations. The goal is to create a secure environment that prevents unauthorized access, data breaches, and other cyber threats.

On the other hand, product security is about ensuring that the software or products a company develops and delivers are secure for users. According to CISA, organizations need to be active stakeholders in the product security posture of the vendors whose products they use.

This involves ensuring that vendors secure coding practices, regular security testing, and updates to patch security flaws. The objective is to prevent attackers from exploiting weaknesses in the product to compromise user data or systems. While both enterprise security and product security aim to defend against cyber threats, the former focuses on the company's own assets, and the latter prioritizes the safety of the end-user experience.

What is "Secure By Demand"?

Secure By Demand is a proactive approach that customers can take by explicitly demanding secure design practices from software manufacturers during the procurement process. This concept emphasizes that supply chain security should not be an afterthought but a fundamental requirement in the software development lifecycle. By playing an active role in setting security expectations, organizations ensure that the products they purchase are built with security as a core principle, aligning with best practices like those outlined by CISA’s Secure by Design initiative.

Secure By Demand encourages transparency, accountability, and the prioritization of security features, such as secure authentication, elimination of vulnerabilities, and robust incident detection capabilities, thus creating a safer technology ecosystem for all users.

CISA's Recommendation For Improving Software Product Security 

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations adopt a "Secure By Demand" approach to enhance software product security. This involves prioritizing security at every stage of the software development and procurement process. CISA urges software manufacturers to make security a foundational aspect of their products, focusing on practices like secure coding, regular application security assessments, and timely patch management

By demanding secure-by-design principles, customers can reduce their risk of being exploited by ransomware, data breaches, and other malicious activities. CISA also encourages customers to ask their software providers about their commitment to secure-by-design practices, transparency in vulnerability reporting, and their support for secure authentication methods. Taking these proactive steps can significantly enhance the security posture of both individual organizations and the broader technology environment.

Consider Security During the Entire Procurement Lifecycle

CISA emphasizes the importance of product security throughout the entire software procurement lifecycle. Before purchasing software, organizations should assess each vendor's security practices by asking targeted questions about their approach to product security and adherence to secure-by-design principles. 

During procurement, it's essential to include specific security requirements in a binding contract such as a service level agreement (SLA) ensuring that security is a non-negotiable aspect of the agreement. After procurement, organizations should continuously monitor and assess the security of the software products they use, keeping up with updates, patches, and any newly discovered vulnerabilities. By integrating security considerations into every stage of the procurement process, organizations can help ensure that the products they use are robust against cyber threats, thereby safeguarding their own infrastructure and operations.

Questions to Consider For Software Product Security

To ensure the software products they purchase are secure, organizations should ask their software manufacturers critical questions that highlight their security practices:

  • Has the manufacturer committed to CISA’s Secure by Design Pledge?

    • This commitment indicates a public dedication to security principles.

  • How does the manufacturer handle security patches and updates?

    • Are updates and patches easy to install, widely supported, and are automatic update features supported?

  • Does the software support secure authentication methods, like multi-factor authentication (MFA)?

  • What steps has the manufacturer taken to address common vulnerabilities?

  • Does the manufacturer provide security features such as logs?

  • How does the manufacturer manage the security of third-party components?

    • Confirm that they maintain a software bill of materials (SBOM) and have processes to ensure the security of open-source and third-party software dependencies.

Conclusion

Adopting a Secure By Demand approach is crucial for enhancing software product security and building a safer technology ecosystem. By making security a key consideration from the earliest stages of the procurement lifecycle, organizations can significantly mitigate risks associated with cyber threats. CISA’s guidance encourages customers to ask probing questions about a manufacturer’s security practices and to integrate security requirements into contracts.

This proactive stance not only protects the organization but also drives broader industry standards for product security, ultimately contributing to the protection of critical infrastructure and digital assets. By demanding secure-by-design products, organizations play a vital role in promoting a resilient cybersecurity landscape.

Let's Connect

Share your details, and a member of our team will be in touch soon.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.