April 18, 2023 By Sue Poremba 4 min read

The traditional approach to security has been to get the product to market fast and worry about security later. Unfortunately, that approach has never really worked. It puts too much of the cybersecurity responsibilities on the customer and leaves many vulnerabilities primed for exploitation at any point in the supply chain.

As cyber threats become more malicious, pressure is building to prevent a disastrous attack on critical infrastructure or the economy. Because private and public interests didn’t have the motivation or the incentive to make changes around building security into the development process, the Biden Administration stepped in with an executive order in May 2021. This EO addresses the need to modernize technology and security in several ways, such as a new NIST framework to secure the software supply chain and partnerships with Big Tech to bolster security awareness training and skills. Another area highlighted in this EO is the need for improved secure-by-design principles and development.

“By design, we’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects — such poor construction would be unacceptable in any critical field,” said Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), in a talk at Carnegie Mellon in February.

Three core principles of Secure-by-design

CISA established three core principles around secure-by-design to support critical infrastructure security. They are:

  • The burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.
  • Technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market.
  • Leaders in technology manufacturing should explicitly focus on building safe products, publishing a roadmap that lays out the company’s plan for how products will be developed and updated to be both secure-by-design and secure by default.

To better understand why CISA is pushing for secure-by-design architecture, we first need to understand what secure-by-design is and why these principles are vital in the overall development process.

What is secure-by-design?

Secure-by-design, also referred to as security by design, is an approach that brings cybersecurity into software and hardware development from the beginning. It considers security for all components of the development process at every stage of the development process.

“With this approach, it means components and systems can all operate together, providing security and privacy,” Rashid Ali, enterprise solutions manager at WALLIX, told Spiceworks.

The point of secure-by-design principles is to decrease the need for cumbersome cybersecurity fixes like patches and software updates that address the vulnerabilities found after the product has gone to market. Secure-by-design architecture should address both newly designed code and open-source code used by developers.

Secure-by-design’s importance to cybersecurity

Most software is a combination of material drawn from open-source libraries and third parties, along with original code written in-house. Developers have control over what they create but not what is out there for public use. And while anyone can fix the flaws in open source, there are no universal patches to apply.

One vulnerability that sneaks through anywhere in the software supply chain can wreak havoc, taking down business networks or opening the door to ransomware attacks. The SolarWinds breach remains the prime example of how software can be exploited and impact government and private industry. It’s not an exaggeration to say that one attack within the software supply chain could devastate the entire country. This is why the White House has increased its focus on national cybersecurity, particularly in the software supply chain.

There is no way to eliminate all vulnerabilities during the development process, but you can anticipate them. By implementing secure-by-design principles, you not only build-in processes to test codes and features through each phase of development but also build out the product so fixes and updates can be added in the future. The firmware in many IoT devices is an excellent example of how a lack of secure-by-design architecture hinders cybersecurity. Anyone who has ever tried to implement software updates to their routers, printers or security cameras knows how difficult it is. Threat actors know that, too.

How to implement secure-by-design principles

All software is subject to attack as soon as it goes live. The objective of secure-by-design is to close the vulnerabilities before the product is available to the public. To ensure a secure end product, organizations can adhere to the principles of secure-by-design. According to OWASP’s Secure Design page on GitHub, these principles include:

  • Fail Safe or Fail Secure
  • Layered Defense
  • Least Privilege
  • Separation of Duties
  • Open Design
  • Identifying the Weakest Link.

To implement security-by-design principles, the development team should work in partnership throughout the entire design process. Developers are trained to code, not to recognize potential security flaws. It is the security team who will put the principles for secure-by-design into action. In fact, the security team should be consulting every step of the design process of both software and hardware devices. They can then offer counsel, including factors like network connections and plug-in components, without compromising security.

Secure-by-design will be a culture shift for many organizations. The development team may have never collaborated on security before, and leadership will have to recognize that they may experience some delays in getting the product to market. But it will be a more secure product: one that will finally take the bulk of cybersecurity responsibilities away from the end user and keep the supply chain safer overall.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today