CISA, the FBI, the National Security Agency (NSA) and partner nations’ cybersecurity authorities released a report today that’s intended to guide software manufacturers toward a new approach. The recommendations aim to ensure products are already designed and configured for strong security before they reach end users.
Former National Cyber Director Chris Inglis and now-acting National Cyber Director Kemba Walden have previously highlighted this issue. Tech companies have the resources and reach to make real change, but too often it’s the end users who are expected to shoulder most of the burden of patching, evading phishing schemes and otherwise heading off incidents, Walden said during a discussion last month. A single person’s password mistake shouldn’t be able to turn into a Colonial Pipeline-level crisis, Walden said.
But too often companies prioritize delivering products to market quickly over making sure the products are secure. In March, Walden suggested that new regulations and laws might help shift that calculus, such as laws holding irresponsible software companies liable for security flaws.
The new release from CISA and its partners is meant to advance discussions, and it “does not automatically serve as a regulatory document,” the report states. It provides both core guiding principles and more specific technical recommendations.
“With this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default,” CISA said in an announcement. The organizations are also seeking feedback on the report.
DESIGNING IN SECURITY
The new report calls for a “secure-by-design” approach that would see software creators consider cybersecurity from the get-go, before they start developing the products. They’d need to consider how malicious actors might try accessing devices, data or connected infrastructure, and plan against this.
Companies would prioritize security over adding features or getting to market quickly. Security features would also be expected, not something that could optionally be added later for additional fees.
“Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense,” the report states. “Only by incorporating Secure-by-Design practices will we break the vicious cycle of creating and applying fixes.”
Effectively implementing a secure-by-design approach could involve various measures, including using memory safe programming languages where possible, creating a software bill of materials, and performing static and dynamic application testing.
The National Institute of Standards and Technology’s SP 800-218, also called the Secure Software Development Framework, and CISA’s Cybersecurity Performance Goals can both be helpful guides.
SECURE DEFAULTS
Software should have optional security features already turned on when the products reach users, rather than asking users to opt in to security, the report said.
Companies often give users hardening guides, detailing ways to make the software more secure. But companies should make more of these elements of the products’ default configurations. Doing so can both provide a more secure baseline and help remove certain risks. For example, not all users will be aware of the hardening guides and so may unwittingly leave their settings “in an insecure position.” Plus, cyber attackers might review the hardening guides for ideas on vulnerable product features they could target. Flipping the script would see manufacturers provide products that are tightly secured by default, while giving users “loosening guides” explaining how users could adjust settings and the security tradeoffs of doing so.
Secure-by-default products would require users to create strong passwords when installing and configuring the software, rather than seeing the products arrive with default passwords. Admin accounts could come with multifactor authentication already turned on, with users needing to opt out if they didn’t want it.
The report also asks manufacturers to freely provide customers with “high quality” audit logs to help them detect and respond to possible security incidents. Another recommendation: forgo giving products backwards-compatible legacy features if including them would introduce security risks.
GROWING PAINS
The report acknowledges that secure-by-design and -default approaches may introduce more development costs and require adjusting to a new way of doing things.
Report authors also argue, however, that making products more secure from the get-go could bring other benefits, like bolstering the brand’s reputation and reducing maintenance and patching costs down the line. To make adjustments more manageable, they also advise starting by applying secure-by-design practices for new software, or for current products that are particularly important or risky, before later addressing other products.
The report notes, too, that some customers may be displeased with secure-by-default setups that change how the software operates. Authors advise getting customer input on how to balance operational and security goals, but ultimately say companies should push customers to accept higher security.
“The authoring agencies have observed important cases where customers have been unwilling or unable to adopt improved standards, often network protocols,” they write. “It is important for the manufacturers to create meaningful incentives for customers to stay current and not allow them to remain vulnerable indefinitely.”
ADVICE TO CUSTOMERS
The report also recommends prioritizing security-by-design and -default when purchasing technologies. That can include letting IT departments vet products’ security before buying them and demand certain security criteria be met. Organizations can also discuss such product security practices with their vendors and include expectations in agreements and contracts.
- Read the report here
- Send feedback on it here: SecureByDesign@cisa.dhs.gov
- Stay tuned: Report authors expect to hold listening sessions on the report
