The traditional approach to security has been to get the product to market fast and worry about security later. Unfortunately, that approach has never really worked. It puts too much of the cybersecurity responsibilities on the customer and leaves many vulnerabilities primed for exploitation at any point in the supply chain.

As cyber threats become more malicious, pressure is building to prevent a disastrous attack on critical infrastructure or the economy. Because private and public interests didn’t have the motivation or the incentive to make changes around building security into the development process, the Biden Administration stepped in with an executive order in May 2021. This EO addresses the need to modernize technology and security in several ways, such as a new NIST framework to secure the software supply chain and partnerships with Big Tech to bolster security awareness training and skills. Another area highlighted in this EO is the need for improved secure-by-design principles and development.

“By design, we’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects — such poor construction would be unacceptable in any critical field,” said Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), in a talk at Carnegie Mellon in February.

Three core principles of Secure-by-design

CISA established three core principles around secure-by-design to support critical infrastructure security. They are:

  • The burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.
  • Technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market.
  • Leaders in technology manufacturing should explicitly focus on building safe products, publishing a roadmap that lays out the company’s plan for how products will be developed and updated to be both secure-by-design and secure by default.

To better understand why CISA is pushing for secure-by-design architecture, we first need to understand what secure-by-design is and why these principles are vital in the overall development process.

What is secure-by-design?

Secure-by-design, also referred to as security by design, is an approach that brings cybersecurity into software and hardware development from the beginning. It considers security for all components of the development process at every stage of the development process.

“With this approach, it means components and systems can all operate together, providing security and privacy,” Rashid Ali, enterprise solutions manager at WALLIX, told Spiceworks.

The point of secure-by-design principles is to decrease the need for cumbersome cybersecurity fixes like patches and software updates that address the vulnerabilities found after the product has gone to market. Secure-by-design architecture should address both newly designed code and open-source code used by developers.

Secure-by-design’s importance to cybersecurity

Most software is a combination of material drawn from open-source libraries and third parties, along with original code written in-house. Developers have control over what they create but not what is out there for public use. And while anyone can fix the flaws in open source, there are no universal patches to apply.

One vulnerability that sneaks through anywhere in the software supply chain can wreak havoc, taking down business networks or opening the door to ransomware attacks. The SolarWinds breach remains the prime example of how software can be exploited and impact government and private industry. It’s not an exaggeration to say that one attack within the software supply chain could devastate the entire country. This is why the White House has increased its focus on national cybersecurity, particularly in the software supply chain.

There is no way to eliminate all vulnerabilities during the development process, but you can anticipate them. By implementing secure-by-design principles, you not only build-in processes to test codes and features through each phase of development but also build out the product so fixes and updates can be added in the future. The firmware in many IoT devices is an excellent example of how a lack of secure-by-design architecture hinders cybersecurity. Anyone who has ever tried to implement software updates to their routers, printers or security cameras knows how difficult it is. Threat actors know that, too.

How to implement secure-by-design principles

All software is subject to attack as soon as it goes live. The objective of secure-by-design is to close the vulnerabilities before the product is available to the public. To ensure a secure end product, organizations can adhere to the principles of secure-by-design. According to OWASP’s Secure Design page on GitHub, these principles include:

  • Fail Safe or Fail Secure
  • Layered Defense
  • Least Privilege
  • Separation of Duties
  • Open Design
  • Identifying the Weakest Link.

To implement security-by-design principles, the development team should work in partnership throughout the entire design process. Developers are trained to code, not to recognize potential security flaws. It is the security team who will put the principles for secure-by-design into action. In fact, the security team should be consulting every step of the design process of both software and hardware devices. They can then offer counsel, including factors like network connections and plug-in components, without compromising security.

Secure-by-design will be a culture shift for many organizations. The development team may have never collaborated on security before, and leadership will have to recognize that they may experience some delays in getting the product to market. But it will be a more secure product: one that will finally take the bulk of cybersecurity responsibilities away from the end user and keep the supply chain safer overall.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…