An aspirational movement to shift the responsibility for security in technology products and services to manufacturers and vendors got a major boost Thursday. Cyber authorities in the U.S. and six other nations issued recommendations and tactics to ensure products are secure by design and default from the get-go.
The principles, as outlined by the Cybersecurity and Infrastructure Security Agency and its peers in the U.K., Germany, Canada, Australia, New Zealand and the Netherlands, put more connective tissue and action behind the Biden administration’s recently revealed national cybersecurity strategy.
The joint guide encapsulates many recommendations previously shared by CISA and other authorities, including technical recommendations for software and infrastructure design and best practices for default security measures.
Laws and regulations that impose greater responsibility on the technology sector aren’t likely to come quick or easy. For now, there are not enforcement mechanisms tied to the principles.
The agencies behind the effort are strongly encouraging every technology manufacturer to build products in a way that prevents the need for customers to constantly perform monitoring, routine updates and damage control on their systems to mitigate cyber intrusions.
The status quo, described as vulnerable by design, bears constant weaknesses, the agencies said. Meaningful change requires technology manufacturers and vendors to revamp design and development programs, and place a much greater priority on security.
“Only by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes,” the agencies said in the joint guide.
Secure-by-design development requires a significant investment of resources at each layer of the design and development process, the authorities acknowledged.
Manufacturers are urged to migrate to programming languages that eliminate widespread vulnerabilities and prioritize features that protect customers over those that might seem appealing but expand the attack surface.
“There is no single solution to end the persistent threat of malicious cyber actors exploiting technology vulnerabilities, and products that are secure-by-design will continue to suffer vulnerabilities,” the agencies said in the guide. “However, a large set of vulnerabilities are due to a relatively small subset of root causes.”
Secure-by-design principles may increase development costs, but they could also lower maintenance and patching costs long term, the agencies said.
The outlined secure-by-design tactics include:
- Memory safe programming languages, such as Rust, Ruby, Java, Go, C# and Swift.
- A secure hardware foundation that enables fine-grained memory protection.
- Secure software components, including libraries, modules, middleware and frameworks by commercial, open source and third-party developers.
- Web template frameworks that automatically escape user input to avoid cross-site scripting attacks.
- Parameterized queries to avoid SQL injection attacks.
- Static and dynamic applications security testing to detect error-prone practices.
- Peer code review
- Software bill of materials
- Vulnerability disclosure programs that allow security researchers to report vulnerabilities without fear of legal jeopardy.
- Complete CVE details, including root cause or common weakness enumeration.
- Infrastructure that is designed to adhere to defense-in-depth principles so the compromise of a single control doesn’t result in full system compromise.
- Measures and practices that meet CISA’s cybersecurity performance goals.
Technology vendors should make secure configurations the default baseline, and when customers deviate from those defaults it should be abundantly clear they are increasing the likelihood of compromise, according to the guide.
Products that meet this mark will automatically enable the most important security controls and provide customers the ability to use and further configure security controls at no additional cost.
“The complexity of security configuration should not be a customer problem,” the agencies said in the guide.
Additional security configurations should be included in the base product, much like seatbelts are included in all new cars, and not sold as a luxury option, according to the guide.
Secure-by-default tactics include:
- The elimination of default, universally shared passwords.
- A multifactor authentication mandate for privileged users.
- Single sign-on for IT applications.
- The provision of high-quality audit logs to customers at no extra charge.
- Recommendations on authorized profile roles and their designated use case.
- The prioritization of security over backwards compatibility.
- A consistent reduction in the size of hardening guides.
- An assessment of user experience burdens introduced by security settings.
Cyber authorities encourage organizations to hold technology manufacturers and vendors accountable for the security outcomes of their products.
“IT departments should be empowered to develop purchasing criteria that emphasize the importance of secure-by-design and secure-by-default practices,” the agencies said in the guide.
“Organizations should expect transparency from their technology suppliers about their internal control posture as well as their roadmap toward adopting secure-by-design and secure-by-default practices.”