By: Kelly Onu
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a comprehensive white paper on the principles of “Secure by Design,” focusing on embedding security into the product lifecycle from the ground up. This paper primarily targets software and hardware manufacturers, encouraging them to make security a foundational element. Over a year later, more than 200 organizations, including industry leaders like Google, SailPoint, and Microsoft, have committed to integrating these principles into their product development processes, enhancing security for their customers.
What is Secure by Design?
Secure by Design emphasizes integrating security as a core priority throughout the product development lifecycle, not as an afterthought. This approach, which strengthens a product’s security posture from the start, applies to software, hardware and firmware. Secure by Design principles reduce the risk of compromise and ensure that security is maintained as a foundational element in a product’s lifecycle.
Key Considerations
1. Use Multi-Factor Authentication (MFA)
MFA is a crucial layer in protecting against unauthorized access, particularly in products and development environments. Implementing MFA by default enhances protection against phishing and password attacks. Companies should enable MFA by default and make it easy for users to enroll during setup using multiple authentication factors like passwords, SMS, email codes, or security questions.
2. Eliminate Default Passwords
Default passwords are a weak point in hardware security and are commonly targeted in cyberattacks. Replacing default passwords with instance-specific, random passwords strengthens security. Additionally, manufacturers can enhance security by requiring strong user-generated passwords during installation and disabling setup passwords after initial configuration.
3. Reduce Common Vulnerability Classes
Addressing vulnerabilities like SQL injection and cross-site scripting (XSS) can greatly reduce security risks. Manufacturers should prioritize secure libraries and frameworks that address these common vulnerability classes, which are outlined in the OWASP Top 10 project. Reducing the attack surface before delivery ensures a more secure foundation for customers.
4. Increase the Frequency of Security Patching
Manufacturers bear responsibility for their products’ security even after they are in customers’ hands. Regular, automatic updates and operational support help ensure vulnerabilities are addressed promptly. By prioritizing frequent and seamless security patches, manufacturers can protect their customers from emerging threats and vulnerabilities.
5. Adopt a Vulnerability Disclosure Policy (VDP)
A VDP enables secure, responsible vulnerability reporting by third parties, encouraging transparency and collaboration. This policy provides a structured way for researchers to test products, report issues, and disclose findings without fear of legal repercussions, as long as guidelines are respected. It strengthens product security and offers customers reassurance that issues are addressed openly.
6. Accurately Report Common Vulnerabilities and Exposures (CVEs)
CVEs represent publicly known security flaws, and timely, accurate reporting is essential. When an exploitable vulnerability is identified, it should be reported promptly with clear guidance for mitigation. Consistent accuracy in CVE, CWE (Common Weakness Enumeration), and CPE (Common Platform Enumeration) reporting helps customers understand and address vulnerabilities effectively.
7. Enable Robust Logging Capabilities
Logging security events is particularly important for cloud providers, as it enhances visibility into unauthorized activity and helps customers recognize patterns in their security environments. Logs should be retained per Service Level Agreements (SLAs) to ensure traceability and to support customers in strengthening their resilience.
Bonus:
8. Generate Software Bill of Materials (SBOMs)
SBOMs offer transparency into a product’s supply chain, allowing manufacturers to better manage risks associated with third-party components. Creating and maintaining SBOMs enables manufacturers to track components, respond to supply chain risks, and inform customers about potential vulnerabilities in third-party modules.
Conclusion
Embracing Secure by Design principles not only strengthens security across the product lifecycle but also reduces the burden on customers, giving them greater peace of mind. By addressing these key strategies organizations contribute to a safer digital ecosystem.