CISA, Others Unveil Guide for Secure Software ManufacturingJoint Road Map Details How Manufacturers Should Bake Security Into Design Processes
The United States and half a dozen other countries sought to reverse decades of tech industry attitudes in a Thursday document pleading with manufacturers to make cybersecurity a core business goal.
A 15-page document that preaches security by design says manufacturers should align design and development programs to ensure software is secure - without forcing customers to pay more or alter the configuration. The U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the National Security Agency collaborated with Australia, the U.K., Canada, Germany, the Netherlands and New Zealand on the guide.
Secure by design and secure by default "move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues," the agencies wrote.
The guidance comes less than seven weeks after CISA Director Jen Easterly delivered a high-profile address urging manufacturers to stop vulnerabilities from accumulating before products ship. The era of releasing products to the public with "dozens, hundreds or thousands of defects" must end, she said. The document released Thursday explores the major themes from Easterly's speech in more detail (see: US Official Reproaches Industry for Bad Cybersecurity).
The agencies behind the document lack regulatory authority to issue tech industry mandates, but some governments have said they could force the tech industry into adopting better security practices. The European Union is actively considering a bill dubbed the Cyber Resilience Act obliging tech manufacturers to provide security support and software updates - a bill the CISA document mentions approvingly.
Secure Design Comes at Cost to Manufacturers
The secure-by-design process should begin with software manufacturers performing a risk assessment to identify the top cyberthreats to critical systems and then including protections in product blueprints. CISA urges manufacturers to double down on security even if it's in ways that are invisible to customers, such as migrating to programming languages that eliminate widespread vulnerabilities.
Manufacturers should prioritize the user of memory safe programming languages such as C#, Rust, Ruby, Java, Go and Swift wherever possible, CISA stated. Mitigations for legacy codebases such as address space layout randomization, control-flow integrity and fuzzing don't adequately prevent exploitation, it said.
Source code and application behavior should be examined via static and dynamic application security testing to detect improper management and memory and error-prone database query construction. In addition, user privileges should be narrowly provisioned, and access control lists should be employed to ensure the compromise of a single security control doesn't result in compromise of the whole system.
CISA and its counterparts said manufacturers must "make hard tradeoffs" and prioritize capabilities and mechanisms in tools that protect customers rather than adopting product features that seem appealing but enlarge the attack surface. Investing in secure-by-design practices for both new and existing tools will improve the security posture of customers and reduce the likelihood of them being compromised.
"Taking ownership of the security outcomes for customers and ensuring this level of customer security may increase development costs," the agencies wrote. "Security-by-design principles not only strengthen the security posture for customers and brand reputation for developers but also lower maintenance and patching costs for manufacturers in the long term."
'Security Is Not a Luxury Option'
One theme the CISA report hammers on is that the tech industry shouldn't treat better security as an opportunity to jack up prices.
"Manufacturers of products that are 'Secure-by-Default' do not charge extra for implementing additional security configurations," the agencies wrote. "They include them in the base product like seat belts are included in all new cars. Security is not a luxury option but is closer to the standard every customer should expect without negotiating or paying more."
Products shouldn't have universally shared default passwords and should instead require administrators to set a strong password during installation and configuration, the report states. Manufacturers should also provide customers with high-quality audit logs at no extra charge since they're crucial for detecting, escalating and investigating potential security incidents, the agencies said.
"While customer input is important, the authoring agencies have observed important cases where customers have been unwilling or unable to adopt improved standards, often network protocols," the agencies said. "It is important for the manufacturers to create meaningful incentives for customers to stay current and not allow them to remain vulnerable indefinitely."
Incenting Manufacturers to Prioritize Security
Authorities urged software manufacturers to ensure vulnerability advisories are complete and accurate and share information learned from their work with customers such as how often strong authentication measures are adopted. Manufacturers should maintain open communication regarding product security issues and emphasize security in internal forums, external product marketing and client engagements.
Security leaders should develop measurements of effectiveness for their security investments that align with reducing configuration errors, slowing the pace of security patches and minimizing the attack surface, cybersecurity authorities said. And production teams should be rewarded for developing products that adhere to best security practices via awards, financial incentives or promotion criteria.
"Senior leadership should hold teams accountable for delivering secure products as a key element of product excellence and quality," the agencies wrote.
Customers, meanwhile, should establish policies requiring that IT departments assess the security of manufacturer software before it is purchased, CISA and its counterparts said. Organizations should expect transparency from their technology suppliers about their internal security control posture and ensure they understand the shared responsibility model when adopting cloud systems, leaders said.
"IT leaders should collaborate with their industry peers to understand which products and services best embody these [secure-by-default] design principles," the agencies wrote. "By working together, customers can help provide meaningful input to manufacturers and create incentives for them to prioritize security."