A robust debate is emerging about the lofty goals and potential costs of actually implementing the Cybersecurity and Infrastructure Security Agency's long-awaited guidelines for secure by design.
CISA, along with the FBI and National Security Agency, unveiled an extensive set of guidelines in concert with key international cyber authorities on Thursday.
Officials are urging the global software industry to make substantial changes in how it develops applications in order to minimize flaws in code, make multifactor authentication a standard security feature and take other steps to reduce the risk of malicious attacks.
“Companies, of course, are working towards building secure products, but [are they] really thinking about how they take true ownership of the security outcomes of their customers,” Bob Lord, senior technical advisor at CISA, told Cybersecurity Dive in an interview. “It’s a mindset change that will need to trickle down throughout the entire organization.”
Almost everyone involved says the software industry would like to build more trusted applications, but that requires a significant investment of time, money and expertise to make those necessary improvements. The fear is the loss of innovation, customer loyalty and ultimately profitability.
The Software Alliance, also known as BSA, praised CISA for putting together a global effort to implement secure-by-design practices.
“Enterprise software companies take seriously their responsibilities to customers and the public, and continuously work to evolve the security of their products to meet new threats,” Henry Young, director of policy at BSA, said via email.
Young referenced BSA advocating secure-by-design principles over a period of years, which are also included in the BSA Framework for Secure Software. Beyond supporting the principles, BSA is also backing CISA’s call for senior business leaders to take a leadership role in managing cyber risk.
CISA officials told Cybersecurity Dive that corporate leaders need to take a top-down approach to ensure companies are supporting cyber risk management.
Google, which publicly pledged support for the effort back in February, said it was glad to see governments across the globe prioritizing secure-by-design principles.
“It’s our belief that good security starts with the companies building the technology that gets put into people’s hands,” Royal Hansen, VP of privacy, safety and security engineering at Google, said Thursday in an emailed statement.
Hansen said building products that are secure by default is “at the center of Google’s security approach,” and is engrained in how the company serves everyone “from businesses, to consumers and public officials.”
Microsoft on the other hand, declined to comment on the rollout of secure by design, and instead shared a March 9 blog from Tom Burt, when he expressed support for the Biden administration’s national cybersecurity strategy.
While there is public support for the secure by design framework as a concept, Tom McNamara, CEO of Hopr, has doubts CISA’s ambitious goals can be turned into achievable action.
“The problem with software code — whether it is in a software or hardware product — is that it rarely operates in a closed system,” McNamara said via email. “It’s part of an interconnected system (think wireless devices) that expose it to all kinds of unplanned interactions.”
For example, with IoT devices operating in cloud and modern production environments using interconnected systems, this is more true than ever before, according to McNamara. In these types of environments zero-day vulnerabilities are a fact of life.
Secure by default will be even more difficult to reach, McNamara said, mainly due to economic concerns.
CISA officials position secure by default as allowing customers to avoid making extensive configuration changes to products in order to reach an optimum level of security. For example, MFA would be enabled by default. Software users would also not be required to pay additional fees for extra security, but rather those additional layers would be included in products before they ship.
Security, at what cost?
CISA's Lord acknowledges that companies have spent the last two decades making new investments in security technologies, including advances in sandboxing, automated security updates and other features designed to build resilience.
But some industry leaders fear the time and investment required to reach such a high standard will have real costs in terms of the investment and time required to develop new products.
“The amount of testing and quality assurance necessary to achieve the CISA standard for this would slow the introduction of technology products to market,” McNamara said. “Time to market matters.”
Chris Wysopal, founder and CTO at Veracode, a specialist in application security testing, said in order for secure by design to work as intended, security needs to be continuous and built-in throughout the entire lifecycle of a product.
“Too often, deadline-driven development organizations skimp on security best practices that prevent vulnerable and exploitable software flaws,” Wysopal said via email.
Wysopal warned that open source is becoming a systemic risk for the country. Continuously evolving open source libraries shift from appearing secure one day to vulnerable the next.
Automated security testing needs to be built into tools used by developers and the secure by design process must be measurable to determine effectiveness. Transparency also needs to be built into the process to make sure regulators and customers are properly informed.
Brian Fox, co-founder and CTO of Sonatype, said the rising level of attacks in recent years demonstrates that the software industry has been slow to keep pace with the security needs of customers and that significant changes will need to take place.
“Based on the new level of attacks happening everywhere against software supply chains, it should be impossible to think that you can build software like we did 20 years ago, with hard-coded passwords and anonymous access to systems by default,” Fox said via email. “This guidance makes it clear that this is unacceptable for those organizations that haven’t been keeping up.”