Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

As the US federal government continues to inch toward implementing the various national cybersecurity executive orders and implementation strategies, the Cybersecurity and Infrastructure Security Agency (CISA) will be publishing more documents to help companies achieve the desired outcomes. To be more succinct, agencies are going to write a lot about actions developers must take to ensure that they create secure applications. At the heart of these initiatives lie the principles of Secure-by-Design and Secure-by-Default. As a developer, these principles can seem abstract, making them difficult to implement. 

In response to confusion, CISA published “Shifting the Balance of Cybersecurity Risk:

Principles and Approaches for Security-by-Design and -Default” on April 13, 2023. Joine by various domestic and international cybersecurity and law enforcement agencies, the publication outlines what these principles are and the tactics for implementing them. 

The TL;DR for CISA’s security-by-design and -default is that software manufacturers should evolve their development processes with policies and procedures that reward developers for adhering to the principles outlined in the document. 

What is Secure-by-Design?

Secure-by-Design means that software manufacturers perform risk assessments to identify threats so that they can build technology products that reasonably protect against threat actors gaining unauthorized access to devices, data, and connected infrastructure. Business leadership and technical teams should collaborate so that they can take a holistic security approach to product design and development processes across the software development life cycle (SDLC). 

What is Secure-by-Default?

Secure-by-Default means that software manufacturers design products to be resilient against prevalent exploitation techniques without requiring customers to take additional security steps. Products that are Secure-by-Default have the following qualities:

  • Secure default configurations: automatically enabling fundamental security controls without requiring additional work while providing additional security control configurations at no additional cost
  • Security not a customer problem: securing the “default path” to reduce IT staff’s security responsibilities during deployment

The Software Product Security Principles

The three core principles that guide software security are:

  • Ownership: Software manufacturers take on more responsibility for securing products and evolving their products’ security. 
  • Transparency and accountability: Security manufacturers view security as a product differentiator, sharing information learned from customer deployments and viewing common vulnerability and exposure (CVE) reports as a sign of a healthy code analysis and testing community. 
  • Governance: Executive leadership is responsible for prioritizing security through threat modeling, aligning security controls to Secure-by-Default principles, allocating resources appropriatel