What Will It Take to Adopt Secure by Design Principles?

A total of 26,447 vulnerabilities were disclosed in 2023. In 2000, just over 1,000 vulnerabilities were disclosed, with an upward trend continuing for the past two decades, according to research by the Qualys Threat Research Unit published in December 2023. In 2023, Qualys found that less than 1 percent of vulnerabilities contributed to the highest level of risk, but active exploitation can have serious consequences for enterprises that rely on the software with these vulnerabilities. 

A plethora of vulnerability tracking tools are available. The Cybersecurity and Infrastructure Security Agency (CISA) has the Known Exploited Vulnerabilities of Catalog, and many companies offer tools and platforms that scan for vulnerabilities. Cybersecurity teams are responsible for keeping up with this influx of information and patching vulnerabilities that could be exploited. But should the bulk of the responsibility for mitigating the risk of insecure software rest solely on their shoulders?

There has been an increasing push to shift that responsibility back to software manufacturers. The Biden Administration released a National Cybersecurity Strategy in 2023, and one of its pillars focuses on making vendors responsible for developing secure products. CISA is working to drive this shift through its Secure by Design initiative.

Related:New Secure AI Development Rules are Historic, But Do They Matter?

The initiative offers software manufacturers a roadmap to build security into their products before they are put into the hands of customers. How could secure by design go from framework to industry standard?

CISA’s Guidance

CISA’s Secure by Design framework was initially released in April 2023 and updated in October 2023. It focuses on recommendations for making security a core business goal (secure by design) and creating products that are secure with little need for configuration changes and additional costs for customers (secure by default).

The framework encourages software manufacturers to embrace three security principles. First, it calls for vendors to take ownership of their customers’ security outcomes. Second, it pushes for transparency and accountability via sharing information learned from customer deployments and vulnerability advisories. Third, the framework calls senior executives to play an active role in prioritizing secure product development.

CISA did not create its recommendations in a vacuum. It developed the guidance with 17 US and international partners. The agency sought input from industry stakeholders. In August, CISA hosted a closed-door discussion at the hacker conference DEF CON in Las Vegas. During the session, participants received copies of what would become the latest iteration of the secure by design white paper. “We told them to mark it up with red pens, and then we spent a good amount of time taking all those comments, combing through them and then incorporating the feedback,” Lauren Zabierek, senior advisor, cybersecurity division at CISA, tells InformationWeek.

Related:Higher Stakes for Software Liability Are Coming

CISA’s framework is fleshed out with specific recommendations for secure product development practices and steps to take to embrace each of the principles. The agency is following up its framework with Secure by Design alerts, like a December 2023 alert on eliminating default passwords, to continue proactively supporting the implementation of these principles.

The Benefits of Secure by Design

The current market without a secure by design approach presents challenges for users. “It is a buyer beware world where you assume all the risks that product presents and don't necessarily know, due to the complexity of the product, what those risks are,” says Gregory Touhill, director of the Software Engineering Institute’s CERT Division at Carnegie Mellon University.

Users also often need to use a significant amount of resources after the purchase of a software product. It is often up to them to properly install, train and configure it to ensure it operates securely. “There are hidden costs associated with software and systems that are not secure by design,” says Touhill.

Related:SolarWinds CEO Talks Securing IT in the Wake of Sunburst

The benefit of products that are built with secure by design and default principles are clear for the users. It shifts some of the security risk, burden and cost to the vendors’ side of the table.

But what do vendors get out of this? Putting secure by design principles into action comes with a cost, but Zabierek argues that it is possible for adoption to have financial benefits for software manufacturers as well.

“I think when done right, building technology securely helps to reclaim employee time that may have been otherwise spent on fixing these defects after the fact or taking systems offline,” she explains.

As governments and consumers look more closely at security, vendors may also find secure by design differentiates them in the market. “The patience for accepting products that are not secure by design and secure by default is waning,” says Touhill. 

Adoption Hurdles

Secure by design has become an industry buzz phrase, but that doesn’t necessarily translate into widespread adoption. CISA’s framework is a useful tool, but it is not a mandate, nor is there any other widespread regulation requiring technology vendors to embrace secure by design principles.

CISA’s framework is aimed at software manufacturer leadership because they will ultimately drive the decision making that will make products secure by design. “We found that developers really do want to create quality products, but often that focus is on speed to market or features,” says Zabierek.

CISA is working to collaborate with industry partners on this initiative, but it is, for now, ultimately up to vendors whether to make the changes to product development. “Based on my conversations with manufacturers and those who are building out products, it will boil down to a cost-benefit analysis,” says Touhill. “Manufacturers look at the cost of development, the time to development, the advantages of getting to market faster than some of their competitors. All of these come to play into the calculus for the vendors.”

Are there enough incentives to make that cost-benefit analysis tip in the favor of secure by design?

Jen Easterly, director of CISA, addressed the issue of incentive during Singapore International Cyber Week 2023. “At the end of the day, I think industry really wants to be good partners on this. It’s just a matter of signaling and incentives,” she said during a session.

Signaling could come in the form of secure by demand. Enough customers demanding that vendors create secure products could move the needle on secure by design forward. “We have to do that work to generate that demand signal to businesses,” says Zabierek.

Touhill believes that the vendors and consumers have reached a tipping point that may lead to regulators playing a role in creating incentives. “I think we're at an inflection point…if the market is not adjusting and producing better and more secure code, what is the role of government regulators?” he asks.  

Governments could introduce regulatory requirements. They could push for software manufacturers to participate in some form of attestation, demonstrating the secure by design principles used in the development of a product via something Touhill likens to a nutrition label. Regulators could also potentially drive more consumer education to fuel secure by demand.

“At the end of the day unless there is an incentive structure that governments put in place, I think we're going to continue to meander forward with many companies not embracing those principles like we wish that they would,” Touhill argues.

The Future of Secure by Design

What does the future of secure by design adoption look like? CISA is continuing its work alongside industry partners. “Part of our strategy is to collect data on attacks and understand what that data is telling us about risk and impact and derive further best practices and work with companies, and really other nations, to adopt these principles,” Zabierek shares.

International collaboration on secure by design is reflected not only in this CISA initiative but also the Guidelines for Secure AI System Development. CISA and the UK’s National Cyber Security Centre (NCSC) led the development of those guidelines, and 16 other countries have agreed to them. But like the Secure by Design initiative, this framework is also non-binding.

A software manufacturer’s timeline for adopting secure by design principles will depend on its appetite, resources and the complexity of its products. But the more demand from government and consumers, the more likely adoption will happen.

Right now, CISA has no plans to track adoption. “We're more focused on collaborating with industry so that we can understand best practices and recommend further better guidelines,” says Zabierek.

While individual vulnerability metrics are important to track, Zabierek cautions against using them as a proxy for determining whether a company is adhering to secure by design principles.

“Vulnerability reporting is voluntary, and we want companies to continue to do this,” she explains. “So, what we should be looking at is more of the recurrence of those vulnerabilities and reducing entire classes of vulnerabilities or defects over time as an indicator of adoption and progress.”

Zabierek also notes the importance of developing a workforce that has a strong knowledge of security. That could mean software manufacturers collaborate with educational institutions to better prepare students for jobs that embrace secure by design. “We have to ensure that computer science programs make security a core part of the curriculum and not just a program elective,” she says.

Today, the security of software is intrinsic to national security and prosperity, Touhill points out. Regardless of the path forward for secure by design, it is unlikely that these principles will be forgotten or ignored by users. “Governments are going to have to make risk-based decisions, along with the critical infrastructure providers, as to how much risk they're willing to accept from software created by the marketplace,” he says.