Several cybersecurity organizations worldwide have jointly published a new series of guidelines to aid manufacturers in prioritizing cybersecurity practices while designing products.
The paper was developed by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the UK, Germany, Netherlands, and New Zealand.
The guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, was published on Thursday and provides specific technical recommendations as well as outlining core principles.
“To create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers,” reads the document.
“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts. Secure-by-Default products are those that are secure to use ‘out of the box’ with little to no configuration changes necessary and security features available without additional cost,” the guide explains.
According to the authoring agencies, embedding these two principles in product design moves much of the burden of security to manufacturers and reduces the chances that customers will suffer incidents resulting from misconfigurations and insufficiently fast patching.
“CISA is making great progress with providing guidance to help keep organizations safe from cyberattacks. Building security into the design process is not only good practice, but it’s also very effective in mitigating flaws in software before they reach the consumer,” echoed Ray Kelly, fellow at the Synopsys Software Integrity Group.
At the same time, the security expert says organizations may find it challenging to adopt these practices without affecting their business from a technical or financial standpoint.
“The ‘design stage’ is a critical component of the software development lifecycle (SDLC), and organizations continue to struggle adopting security as part of this process,” Kelly added. “Hopefully, CISA’s latest recommendations will help bring more visibility on the importance of building security into the SDLC from the start.”
CISA’s latest collaboration aligns with the Biden administration’s National Cybersecurity Strategy, published last month.