CISA's Security by Design for software development: 'It's a starting point, not an endpoint'

Secure-by-Design
The recent guidance by the Cybersecurity and Infrastructure Security Agency (CISA) about securing software by design and default has garnered some praise from the security community.

The guidance has an impressive array of developers. In addition to CISA, backers include the Federal Bureau of Investigation, the National Security Agency, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.

However, like many efforts in this domain by CISA, the Secure by Design initiative is a good start — not an end in itself. Here's what experts say about Secure by Design's impact on software supply chain security — and security operations (SecOps). 

[ See Matt Rose's related ReversingGlass on Secure by Design | Download eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]

Broad support for key principles is a good start

Jeff Williams, CTO and co-founder of Contrast Security, said the document, titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default" (PDF), was great to see because it showed multi-national cooperation "that so clearly focuses on the importance of software security and transparency."

CISA's Secure by Design demonstrates that the governments of the world recognize the importance of software to healthcare, finance, governments, elections, utilities, social media, education, Williams said.

"This demonstrates that they are determined to ensure that market failures in the software industry don’t endanger consumers who rely on this software."
—Jeff Williams

The CISA Secure by Design initiative is based on five key principles:

  • Security should be a fundamental principle of product design.
  • Security controls should be built into products by default.
  • Security controls should be easy for users to understand and use.
  • Security controls should be effective and efficient.
  • Security controls should be continuously monitored and updated.

ReversingLabs Field CISO Matt Rose said he welcomes the initiative, but said it's not a net-new documentation of best practices.

"It's a very comprehensive document, talking about approaches to making sure that application or software developers are actually designing and implementing the correct checks when building software applications. But this isn't earth-shattering stuff. This stuff has existed for years."
Matt Rose

Shifting risk from end-users to development teams

Chris Hughes, CISO and co-founder of Aquia, said CISA's Security by Design initiative embodies what has been a prominent aspect of the recent public dialogue around cybersecurity and software.

Hughes wrote in his Resilient Cyber substack:

"The overarching concept is that software and technology suppliers and vendors are best positioned to drive down systemic risk and fix vulnerable software/products by prioritizing cybersecurity alongside other business driving factors such as speed to market and profitability rather than making downstream consumers and citizens bear the cost of software failures and incidents tied to insecure products and applications, which is largely the model we live in now." 

'Embrace radical transparency and accountability'

Williams noted that the most exciting part of the document is its call for organizations to "embrace radical transparency and accountability.”

"If vendors adopt this aspect of the document and share their pride in a strong software security program, the entire software market can change. We could even see competition that drives software vendors to want to offer the most secure software."
Jeff Williams

However, he said the initiative isn’t very clear on what would motivate a company to be transparent in today’s software market. "We are starting to see transparency laws and regulations emerge from governments, but I would have liked to see support for this trend in this document,” Williams said.

Rose said that some of the advice in the CISA Secure by Design initiative will be a tough sell in many development organizations. 

"The document goes as far as to say that new features should take a backseat to secure software design principles. That sounds good on paper, but realistically, how many companies are going to sacrifice additional revenue, driven by new features and functions, just to be secure?"
—Matt Rose

Threat modeling targeted but challenges remain

CISA's guidance also emphasizes the value of threat modeling in the Secure by Design scheme of things.

"The question I have is how do you do threat modeling in the modern CI/CD process, since the code is constantly changing. Typically, in a waterfall environment threat modeling started in the inception phase, the design phase, but ongoing threat modeling is very difficult to do with the aggressive release cycles of software today."
—Matt Rose

Rose added that software supply chain security wasn't given the treatment it deserves in the CISA initiative, noting its focus on traditional app sec tools.

"If I want to design a secure product, activities compromising my software supply chain are very important to me. They're just as important as things in the document such as vulnerabilities identified by a DAST, threat modeling, memory safe languages, and single sign-on."
—Matt Rose

Pushing zero trust for SecOps teams

Although the CISA guidance isn't aimed at legacy software, it could still influence security practices in industries that depend on older programs. "This push by CISA to introduce effective cyber defenses for individual consumer and small business products should be another wake-up call for infrastructure operators," maintained Duncan Greatwood, CEO of Xage Security.

"After all, it would be ironic if the cyber attack prevention for devices in a typical home came to be stronger than those blocking attacks against critical infrastructure."
Duncan Greatwood

Greatwood added that CISA's guidelines are also pushing cybersecurity toward zero-trust security. "The CISA principles are intended to improve the protection of each individual device, even in the event that attackers are able to compromise the user's network, which is a core tenet of zero trust," he explained.

A baseline is born

Some of the guidance in the document is a bit aspirational — and often very dated, noted Williams. "The discussion of secure-by-default and secure-by-design is straight out of 2000."

He also found the list of tactics puzzling. "It’s not that what’s there is necessarily wrong, but it seems to suggest some minor tactics rather than what I’d consider the fundamental practices that lead to secure-by-design," he explained.

Rose noted that CISA Secure by Design can give security teams some additional negotiating ammunition when meeting with C-level executives and project managers about security needs. In its current state, however, he said its impact would be limited.

"It's a starting point, not an end point."
—Matt Rose

Matt Rose explains why Secure by Design is a starting point alone in his ReversingGlass glassboard series.

Article Link: CISA's Secure by Design for software development: 'It's a starting point, not an endpoint'