CISA's plan to bake security into software development

TU IS/Getty Images

New international guidance calls back to the National Cyber Strategy's recommendation that software developers take more responsibility for the security of their products.

New guidance from the Cybersecurity and Infrastructure Security Agency, the FBI, National Security Agency and a handful of allied countries urges software manufacturers to "prioritize the integration of product security as a critical prerequisite to features and speed to market."

Dubbed "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default," the voluntary guidance, released Thursday, was developed by U.S. federal agencies and cybersecurity authorities in Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand, offering core principles for manufacturers to build software security into their design processes. 

The guidance document calls back to the National Cybersecurity Strategy, released in March, which called on software companies to assume more responsibility for managing cybersecurity risk.

The new guidance focuses on ways that manufacturers can ensure their software products are either "Secure-by-Design" — built in a way that "reasonably protects against malicious cyber actors successfully gaining access" to connected technology — or "Secure-by-Default," meaning they are resilient to "prevalent exploitation techniques out of the box without additional charge."

Those principles include making sure that software manufacturers share more of the burden of security with the customer, that they adopt radical transparency and accountability for their products and that they structure their organization around these goals, with an emphasis on steps like establishing feedback channels and measuring the effectiveness of customer deployments of software products. 

The guidance offers tactics to achieve both Secure-by-Design and Secure-by-Default product outcomes, including eliminating default passwords during installation and configuration, mandating multifactor authentication for privileged users, implementing single sign-on technology, providing high-quality audit logs to customers at no extra charge and other steps.

"Now more than ever, it is crucial for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes," the guidance said. "The authoring agencies strongly encourage every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates and damage control on their systems to mitigate cyber intrusions."