CISA’s set of principles for secure-by-design and -default are ambitious, according to stakeholders who are weighing in on implementation and how to make the publication endorsed by international partners successful in the long run.
“We support CISA and other government’s efforts to encourage secure software development practices. We hope that this guidance does not diverge from or create additional expectations around the work happening at CISA and OMB regarding self-attestation to the NIST Secure Software Development Framework,” Ross Nodurft, executive director for the Alliance for Digital Innovation, told Inside Cybersecurity.
Nodurft said, “We encourage CISA and other agencies participating in the development of this guidance to work with industry to align and streamline any requirements associated with secure software development and design.”
The CISA publication provides specific recommendations on how software manufacturers can build products that use secure-by-design and security-by-default best practices during the design and development process.
CISA executive assistant director for cyber Eric Goldstein provided a short overview at a Thursday event.
Goldstein said, “We are excited today to release what we are really calling the first chapter in an international conversation about principles and approaches for security-by-design and security-by-default. … The goal is to have an increasingly specific dialogue about what are the attributes of a technology product that we think render it reasonably safe and secure such that the likelihood of an exploitable condition is dramatically reduced.”
Goldstein said CISA recognizes “that we will never get to a zero condition for vulnerabilities in technology at least for the foreseeable future but the number can be dramatically lowered.” He said CISA will be getting feedback from the community starting at the RSA Conference in San Francisco.
Specifically, Goldstein said they want to find out: “What is missing? What do we add? What do we exemplify?” He said CISA wants feedback on how to determine the “most important areas” in creating secure products and hopes to drive market forces to improve the security posture of products.
The publication breaks down recommendations for software manufacturers into software product security principles, operational tactics to help with the development process, and tactics for secure-by-design and secure-by-default. There is also guidance on “hardening vs loosening guidelines.”
The secure-by-design tactics lean heavily on NIST’s Secure Software Development Framework including best practices around “memory safe programming languages”; “secure software components”; “web template frameworks”; Software Bill of Materials; and vulnerability disclosure programs.
Ray Kelly of the Synopsys Software Integrity Group said, “CISA is making great progress by providing guidance to help keep organizations safe from cyberattacks. Building security into the design process is not only good practice, it's also very effective in mitigating flaws in software before they reach the consumer. The challenge, however, is for organizations to adopt these practices without affecting the business, as this process takes time and requires resources that can impact the bottom line.”
Kelly said, “The 'design stage' is a critical component of the software development lifecycle (SDLC) and organizations continue to struggle with adopting security as part of this process. Hopefully, CISA’s latest recommendations will help bring more visibility into the importance of building security into the SDLC from the start.”
The publication was released jointly with the National Security Agency and FBI, and international partners from Australia, Canada, the UK, Germany, Netherlands and New Zealand.
BSA-The Software Alliance praised CISA’s effort to bring in stakeholders around the world to “improve cybersecurity through secure-by-design practices.”
BSA’s Henry Young said, “Enterprise software companies take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats, which is why BSA has been advocating for the use of secure-by-design principles for years, including in the BSA Framework for Secure Software.”
“Similarly,” Young said, “BSA supports the document’s call for an organization’s leadership to engage in the cybersecurity risk management. BSA agrees that the most effective cybersecurity risk management practices will be driven by organizational leaders who should play a leading role in cybersecurity.”
Norma Krayem of Van Scoyoc Associates weighed on how the principles will be understood across critical infrastructure sectors.
Krayem said, “Discussions about product cybersecurity and manufacturing with security by design/default are clearly critical and this document, with the tremendous international support, is impactful to see for all sectors.”
“What will be significant to further this process, is to focus on how changes like this can be implemented across critical infrastructure sectors, especially in cases where a heavily regulatory regimes exist for OT sectors, and where safety issues and engineering standards are specifically required and mandated now,” Krayem said.
She added, “This is a mission critical effort that will need a community of effort, by U.S. and global federal regulators with manufacturers and customers, especially in instances where safety regulations may allow for limited deviations and safety standards are mandated, but working together, we can ensure that the future can be secure by design and default.”
Georgianna Shea of the Foundation for Defense of Democracies said there are risk management considerations that need to be addressed as organizations move to adopt the CISA principles.
“It is implementable but it is not one size fits all,” Shea said regarding the publication. Organizations use the NIST risk management framework to determine their risk tolerance, Shea said, including software and connected systems.
Implementation will need to be “customer driven through the articulated requirements that get to more specific requirements and what they mean for cybersecurity,” Shea said. She added that having a requirement to be “cyber secure” or “RMF compliant” doesn’t work for software development because needs are going to vary customer by customer.
Alex Santos, co-founder and CEO at Fortress Information Security, said, “The administration’s ideas to shift responsibility from software user to the manufacturer are well-intended. However, the liability hammer could squash innovation and transparency. We espouse a Safe Harbor philosophy. Policies that promote transparency will make us safer and more resilient. Safe harbor requirements reward organizations for employing cybersecurity best practices and incentivizing cyber-resilient behaviors.”
GitLab federal CTO Joel Krooswyk commented, “The document has a lot of strong concepts, but I am hoping for expanded detail in the next iteration. The shift in liability from users and small businesses is significant, and we’ll need more in the way of vendor-self attestation from OMB and CISA. Going forward, I’d like to see more identified consequences, supplier responsibility to the customer in case of security breach or issue, and specificity around zero trust.”
Krooswyk said, “The secure by default tactics hint at zero trust, but they do not explicitly mention zero trust guidance, which could provide a more comprehensive Secure by Default approach.” -- Sara Friedman (sfriedman@iwpnews.com)