A new alert shows that U.S. and international government agencies are urging software manufacturers to “revamp” the design of certain software to take the burden of cybersecurity flaws off of customers.
ABC News reports that the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA and a host of international law enforcement agencies say that “technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense.”
The alert is specifically aimed at tech providers, and customers according to CISA Executive Director Eric Goldstein. Goldstein noted that he hopes tech providers will use the product to “actually change their internal cultures,” and invest in the changes they are hoping to outline.
Additionally, he advises that customers use the guidance so that they know what to ask for when dealing with software companies. However, he acknowledged the document is “just the beginning,” saying that he hopes that the solutions outlined are not only done by the technical advisors but by senior leaders at the top of software companies. He added that they are looking forward to “opening the aperture of collaboration,” so that all the voices in the software industry can be heard.
The agencies are calling for software manufacturers to “revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers.” They are calling it “Secure by Design” and “Secure by Default.”
“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature,” the alert reads. “Secure-by-Design products start with that goal before development starts. Secure-by-Default products are those that are secure to use “out of the box” with little to no configuration changes necessary and security features available without additional cost.”
The agencies added that there are certain software principals manufactures should abide by when designing products.
“Now more than ever, it is crucial for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes,” the alert continued. “Some vendors have made great strides driving the industry forward in software assurance, while others lag behind.
In addition to specific technical recommendations, the guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products, including:
- Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
- Embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.
- Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.
Read the full alert here.