The traditional approach to security has been to get the product to market fast and worry about security later. Unfortunately, that approach has never really worked. It puts too much of the cybersecurity responsibilities on the customer and leaves many vulnerabilities primed for exploitation at any point in the supply chain.
As cyber threats become more malicious, pressure is building to prevent a disastrous attack on critical infrastructure or the economy. Because private and public interests didn’t have the motivation or the incentive to make changes around building security into the development process, the Biden Administration stepped in with an executive order in May 2021. This EO addresses the need to modernize technology and security in several ways, such as a new NIST framework to secure the software supply chain and partnerships with Big Tech to bolster security awareness training and skills. Another area highlighted in this EO is the need for improved secure-by-design principles and development.
“By design, we’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects — such poor construction would be unacceptable in any critical field,” said Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), in a talk at Carnegie Mellon in February.
Three core principles of Secure-by-design
CISA established three core principles around secure-by-design to support critical infrastructure security. They are:
- The burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.
- Technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market.
- Leaders in technology manufacturing should explicitly focus on building safe products, publishing a roadmap that lays out the company’s plan for how products will be developed and updated to be both secure-by-design and secure by default.
To better understand why CISA is pushing for secure-by-design architecture, we first need to understand what secure-by-design is and why these principles are vital in the overall development process.
What is secure-by-design?
Secure-by-design, also referred to as security by design, is an approach that brings cybersecurity into software and hardware development from the beginning. It considers security for all components of the development process at every stage of the development process.
“With this approach, it means components and systems can all operate together, providing security and privacy,” Rashid Ali, enterprise solutions manager at WALLIX, told Spiceworks.
The point of secure-by-design principles is to decrease the need for cumbersome cybersecurity fixes like patches and software updates that address the vulnerabilities found after the product has gone to market. Secure-by-design architecture should address both newly designed code and open-source code used by developers.
Secure-by-design’s importance to cybersecurity
Most software is a combination of material drawn from open-source libraries and third parties, along with original code written in-house. Developers have control over what they create but not what is out there for public use. And while anyone can fix the flaws in open source, there are no universal patches to apply.
One vulnerability that sneaks through anywhere in the software supply chain can wreak havoc, taking down business networks or opening the door to ransomware attacks. The SolarWinds breach remains the prime example of how software can be exploited and impact government and private industry. It’s not an exaggeration to say that one attack within the software supply chain could devastate the entire country. This is why the White House has increased its focus on national cybersecurity, particularly in the software supply chain.
There is no way to eliminate all vulnerabilities during the development process, but you can anticipate them. By implementing secure-by-design principles, you not only build-in processes to test codes and features through each phase of development but also build out the product so fixes and updates can be added in the future. The firmware in many IoT devices is an excellent example of how a lack of secure-by-design architecture hinders cybersecurity. Anyone who has ever tried to implement software updates to their routers, printers or security cameras knows how difficult it is. Threat actors know that, too.
How to implement secure-by-design principles
All software is subject to attack as soon as it goes live. The objective of secure-by-design is to close the vulnerabilities before the product is available to the public. To ensure a secure end product, organizations can adhere to the principles of secure-by-design. According to OWASP’s Secure Design page on GitHub, these principles include:
- Fail Safe or Fail Secure
- Layered Defense
- Least Privilege
- Separation of Duties
- Open Design
- Identifying the Weakest Link.
To implement security-by-design principles, the development team should work in partnership throughout the entire design process. Developers are trained to code, not to recognize potential security flaws. It is the security team who will put the principles for secure-by-design into action. In fact, the security team should be consulting every step of the design process of both software and hardware devices. They can then offer counsel, including factors like network connections and plug-in components, without compromising security.
Secure-by-design will be a culture shift for many organizations. The development team may have never collaborated on security before, and leadership will have to recognize that they may experience some delays in getting the product to market. But it will be a more secure product: one that will finally take the bulk of cybersecurity responsibilities away from the end user and keep the supply chain safer overall.