CISA Sets International Standard for Secure-by-Design Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and 17 international partners published an update (in October 2023) to their joint guidance titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software" The updated guide urges software manufacturers to make urgent changes to ship products that are secure-by-design, expanding on three key principles:

(i) Taking ownership of customer security outcomes;

(ii) Embracing radical transparency and accountability; and

(iii) Leading from the top.

It provides tools for manufacturers to demonstrate commitment to secure-by-design and for customers to evaluate progress. With eight additional international agencies signing on as partners since its initial release in April 2023, the document represents a global call-to-action for the technology industry to prioritize security in software design and development.

CISA has launched "Secure by Design Alerts" (SbD Alert) to call out vulnerabilities that unnecessarily expose customers to cyberattacks.

• Rather than just warning users, the alerts highlight how software companies’ decisions in their development lifecycles (SDLCs) enable real-world damage, even when security best practices exist.
• Although CISA admits achieving perfect security is hard, it believes publicly identifying common flaws leading to hacks will push companies to study their whole software process—and find ways they accidentally add risk during design.
• By showing hidden supply chain calls that hurt defense, the alerts say makers must take responsibility for problems they indirectly create for users.
• CISA aims to spark change, so critical infrastructure stays safer over time.

I. The first alert, released on November 29, 2023, highlights web interface weaknesses that persist despite best practices. "Secure by Design Alert: How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity" focuses on improving cybersecurity in software products.

• It highlights the continuous exploitation of vulnerabilities in web management interfaces by malicious actors and urges manufacturers to adopt secure-by-design principles. These principles include:

(a) Taking Ownership of Customer Security Outcomes: This involves investing in application hardening, features, and default settings, ensuring products are secure by default and educating customers on potential risks.

• Software manufacturers should conduct field tests to understand how their customers deploy products in their unique environments and whether customers are deploying products in unsafe ways. Furthermore, software manufacturers should consistently enforce authentication throughout their product, especially on critical interfaces such as administrator portals.

(b) Embracing Radical Transparency and Accountability: Manufacturers should be transparent about vulnerabilities and learn from them, aiming to eliminate repeat vulnerabilities.

II. The second alert on December 15, 2023, "Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords" emphasizes the critical need for software manufacturers to enhance customer security by eliminating default passwords.

• Recent intrusions targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords. In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems.

(a) Take Ownership of Customer Security Outcomes: This principle encourages manufacturers to create secure default configurations, avoiding widely known default passwords. It suggests alternatives like instance-unique setup passwords, time-limited setup passwords, and requiring physical access for initial setup. The goal of this principle is to create enduring security for the long-term administration of products starting with the installation process.

• Manufacturers should not assume that users know they must disable insecure default configurations. Instead, manufacturers should follow the above alternatives or design their own setup flow to secure their products and not put the burden of secure configuration on customers.
• Additionally, manufacturers should conduct field tests to understand (1) how their customers deploy products in their unique environments and (2) whether customers are deploying products in unsafe ways.
• Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product. It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.
• For example, for many products, this route includes manufacturers supporting integration with enterprise identity and access management systems, such as single sign-on (SSO) systems, at no additional cost to the customer.

(b) Build Organizational Structure and Leadership to Achieve Security Goals: Manufacturers should integrate cybersecurity into the core of their product development and design, treating it as a key aspect of product and public safety. Manufacturers should ensure that design and development teams engineer products with security and safety built in by default.

• Design, development, and delivery teams should prioritize understanding research on how real customers use product configurations and how those configuration choices, in turn, create or mitigate cybersecurity risks.
• Executive leadership can ensure that feedback on how customers use products meaningfully informs product changes to create safe defaults that reduce risk.
• Executive leadership should also build the incentive structures within the business—especially at the inception of product design and development—and allocate appropriate resources to their design, development, and delivery teams to enable these outcomes.