As the US federal government continues to inch toward implementing the various national cybersecurity executive orders and implementation strategies, the Cybersecurity and Infrastructure Security Agency (CISA) will be publishing more documents to help companies achieve the desired outcomes. To be more succinct, agencies are going to write a lot about actions developers must take to ensure that they create secure applications. At the heart of these initiatives lie the principles of Secure-by-Design and Secure-by-Default. As a developer, these principles can seem abstract, making them difficult to implement.
In response to confusion, CISA published “Shifting the Balance of Cybersecurity Risk:
Principles and Approaches for Security-by-Design and -Default” on April 13, 2023. Joine by various domestic and international cybersecurity and law enforcement agencies, the publication outlines what these principles are and the tactics for implementing them.
The TL;DR for CISA’s security-by-design and -default is that software manufacturers should evolve their development processes with policies and procedures that reward developers for adhering to the principles outlined in the document.
What is Secure-by-Design?
Secure-by-Design means that software manufacturers perform risk assessments to identify threats so that they can build technology products that reasonably protect against threat actors gaining unauthorized access to devices, data, and connected infrastructure. Business leadership and technical teams should collaborate so that they can take a holistic security approach to product design and development processes across the software development life cycle (SDLC).
What is Secure-by-Default?
Secure-by-Default means that software manufacturers design products to be resilient against prevalent exploitation techniques without requiring customers to take additional security steps. Products that are Secure-by-Default have the following qualities:
- Secure default configurations: automatically enabling fundamental security controls without requiring additional work while providing additional security control configurations at no additional cost
- Security not a customer problem: securing the “default path” to reduce IT staff’s security responsibilities during deployment
The Software Product Security Principles
The three core principles that guide software security are:
- Ownership: Software manufacturers take on more responsibility for securing products and evolving their products’ security.
- Transparency and accountability: Security manufacturers view security as a product differentiator, sharing information learned from customer deployments and viewing common vulnerability and exposure (CVE) reports as a sign of a healthy code analysis and testing community.
- Governance: Executive leadership is responsible for prioritizing security through threat modeling, aligning security controls to Secure-by-Default principles, allocating resources appropriately, maintaining internal and external feedback loops, and measuring how effectively the company helps customers.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218 Secure Software Development Framework (SSDF) lays the groundwork for these tactics. However, the CISA publication outlines the follow list of best practices for establishing a written roadmap to adopt Secure-by-Design software development practices:
- Use memory safe programming languages where possible
- Incorporate fine-grained memory protection architectural features
- Acquire software components from trusted third-party locations and maintain well-secured components
- Use web template frameworks implementing automatic user-input escaping
- Analyze source code with static and dynamic application security testing tools (SAST/DAST)
- Engage in peer code reviews
- Provide a Software Bill of Materials (SBOM) for all products
- Establish a vulnerability disclosure program that includes processes for determining vulnerability oot causes and whether additional practices would have prevented the vulnerability
- Publish complete CVE reports with root cause or common weakness enumeration (CWE) that enable industry trend identification
- Design infrastructure according to defense-in-depth practices
- Design products so that they meet basic security practices to satisfy Cyber Performance Goals (CPGs)
Additionally, CISA recommends that software manufacturers prioritize the following Secure-by-Default configurations:
- Eliminate default passwords by requiring administrators to set strong passwords during installation and configuration and making multi-factor authentication (MFA) an opt-in for privileged users.
- Make single sign-on (SSO) a default configuration at no additional cost.
- Provide high-quality secure audit logs at no extra charge.
- Provide recommendations for authorized profile roles and how to use them, including warnings about increased risk when deviating from the recommended profile authorization.
- Prioritize security over backwards compatibility to empower security teams to remove insecure features.
- Track and reduce the size of “hardening guides” by integrating the components as default configurations.
- Integrate the most secure settings as defaults to reduce the cognitive burden on end-users.
Quiet AI: Streamlined Application Security Testing to Enable Security-by-Design and -Default
Qwiet AI’s Code Property Graphs (CPG) based scanning methodology provide visibility into your source code’s fundamental components, identifying functional elements and data flow paths for a consolidated view of all code being scanned. With our intelligent Software Composition Analysis (SCA), you can prioritize your remediation activities with data that provides insight into open source code libraries containing vulnerabilities and whether attackers can exploit them within the context of your source code. Using our SBOM generation tool, you get an in-depth explanation of security issues associated with the identified packages so that you can mitigate threats and document activities, enabling you to provide timely and accurate self-attestation documentation.
You can integrate the preZero platform into your current CI/CD pipelines, ticketing systems, and development tools. By building security directly into your current processes, our platform enables you to incorporate container security into your secure software development life cycle (SSDLC) processes while still ensuring that you get the speed you need to deliver software on time.