To provide more secure software products, security must be built in from the earliest stages of development, the guide says.Shifting the Cybersecurity Risk Balance: Principles and Approaches for Security-by-Design and Default‘ recently released by the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the FBI, the US National Security Agency (NSA) and the cybersecurity agencies of New Zealand, the Netherlands, Germany, the UK, Canada and Australia.
“Many technology vendors still lag behind when it comes to securing or protecting the products they develop and market; They even ignore this responsibility. Because of this, it should often be the customers who are responsible for overseeing their security and mitigating and responding to cyber risk. The guidance we refer to urges technology manufacturers to innovate their design and development programs to allow only products that are safe by design and inherently safe to ship to customers. With these products, customer security would be a fundamental goal and would not require configuration changes or additional payments for features in favor of security,” said Felipe Gómez, Regional Director of Fluid Attacks.
Safety by design
Security by design means that manufacturers recognize from the outset what types of cyber threats their products will be exposed to, and based on that, apply good design practices and implement the necessary security controls. According to Fluid Attacks, this requires making security a business priority and investing resources in core functions and mechanisms that prioritize customer protection above all else.
While this could increase costs early in the software development lifecycle, it would reduce the cost of maintaining and remediating vulnerabilities over the long term.
According to the CISA guidance, when applying security by design, it makes sense to refer to publications such as “Secure software development framework” from NIST (National Institute of Standards and Technology), which propose practices for organizations to identify, remediate, and prevent security vulnerabilities and mitigate the risks associated with them.
Felipe Gómez recommends some practices such as:
- Use programming languages that manage memory automatically and don’t require you to add code to protect them, e.g. B. Java, Ruby or Rust.
- Design an infrastructure that allows the system as a whole not to be compromised if some security controls are compromised.
- Acquire and maintain secure third-party software components.
- Create a detailed inventory of the components or resources used in the software and their dependencies.
- Require code review by other developers.
- Apply static and dynamic application security testing (SAST and DAST) to assess source code and software behavior, respectively, and identify misconfigurations and vulnerabilities that need remediation.
Default security
Cybersecurity agency guidance encourages manufacturers to provide products that end users do not need to protect against known and prevailing risks. By default, the experts say, their products should have sufficiently secure settings, such as seat belts in new cars, and their customers shouldn’t have to pay extra for other security checks.
In addition to security-by-design practices, the guide advises IT vendors to prioritize default security settings for their software and makes recommendations such as the following:
- Offer products that require strong passwords and multi-factor authentication for privileged users during installation and configuration.
- Implement single sign-on technology so users only have to enter their credentials once to access all the services they are allowed to use.
- Provide a high-quality audit trail detailing activities or incidents within the product.
- Make recommendations about access controls or permissions based on user roles and warn of non-compliance.
- Do not incorporate backward compatible legacy features or functionality into the products.
Fluid Attacks regional director said the agencies are recommending that software makers’ clients, particularly managers, promote compliance with the guide’s provisions and begin to prioritize the acquisition of safe products by design and bugs.
“At Fluid Attacks we know that more and more companies are tying their success to the security of the products and systems they develop and/or use. For this reason, as indicated in the guide, we recommend that both providers and consumers of information technology conduct comprehensive and continuous security tests, using manual and automated techniques that help to ensure the security of their products, which represents a minimal exposure to risk,” stressed the executive .
