Global Governments Advise a "Secure By Design" Cyber Strategy

Did you know? Global governments now advise a "secure by design" cyber strategy for 2024 and beyond.

An initial report, titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software'' was first published as a joint advisory in April 2023, and later updated on October 25, 2023. As the report describes, "Secure by design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure."

While the concept is relatively simple on the surface, achieving this goal is considerably more complex. It depends on a combination of administrative and technical controls such as enacting executive oversight, performing risk assessments to identify the cyber threats most relevant to a company's products, designing products with a "security first" mindset rather than usability, and implementing "Defense in Depth" to secure development operations.

The Secure By Design concept is broken into three core principles of Software Product Security. These three principles are:

1. Take ownership of customer security outcomes

2. Embrace radical transparency and accountability

3. Support these goals with organizational structure and leadership

In the next section we will summarize some of the core sub-directives and provide a brief description for each. 

The Core Secure By Design Directives

Below are some specific directives that are integral to the "Secure By Design" approach. These directives support a shift towards a proactive security mindset for product vendors and emphasize the need for a shift of responsibility to prevent downstream digital supply chain risks.

• Secure By Default: Products should be resilient against common cyber threats "out of the box".  This is directly opposed to usability-centric product design goals where quick setup and ease of use are prioritized. The current state of product delivery is one where weak default configuration such as ubiquitous default passwords and complex hardening guides thwart robust security from the get-go

• Secure Features: Products need to support best practices such as automated security updates, transport layer security (TLS) with strong encryption algorithms, multi-factor authentication (MFA) and strong access controls, security event audit logging, and zero-trust architecture

• Publish Security-Related Data: Vendors should enable their customers' security posture by publishing detailed security information.  This information could include Software Bill Of Materials (SBOM), self-attestation to standard cybersecurity frameworks such as NIST, and SSDF, high-level threat models, a memory-safe roadmap, the security limitations of a product, and information about any security testing activities such as penetration testing

• Establish Internal Security Controls:  Not only do the products themselves need to be designed with a security-first mindset, but they need to be developed in secure environments. Secure Product Development Practices should be used to implement DevSecOps and reduce the risk of supply chain attacks for customers

• Pro-Security Business Practices: Organizations must support Secure By Design with their internal business structure and policies. This includes assigning an executive to oversee "Secure By Design" efforts, recognizing product security as a formal measure of product quality, and creating a corporate vision where corporate social responsibility (CSR) is associated directly with corporate cyber responsibility (CCR)

• Publish A Vulnerability Disclosure Policy: Organizations must be prepared to patch any vulnerabilities discovered in their products on time and manage the complex social scenarios that may arise when dealing with security researchers who may conduct their work in a legal gray area. Formal vulnerability disclosure policies are critical for organizations to manage these efforts effectively

Conclusion

The lack of attention to application security in so-called "market-ready" products exacerbates the risks associated with an overwhelmed IT workforce. Product vendors are often more concerned with usability than security causing further downstream risk.

The directives of a "Secure By Design" approach mark a pivotal shift in the cybersecurity landscape, urging hardware and software vendors to embed robust security measures from the onset of the product development process. Product vendors should embrace the new paradigm, embrace cybersecurity into their corporate vision of social responsibility, and take ownership of their customers' security outcomes.

What are your thoughts on global governments advising a "Secure By Design" cyber strategy? Reach out to our team today to discuss how this approach should impact your organization's security tactics (and browse our free Buyer's Guide below for more tips on implementation.)