In April, the federal Cybersecurity and Infrastructure Security Agency (CISA) pledged to shift the balance of risk in software and technology products by prodding organizations to secure their technology wares by design and by default.
CISA's Secure by Design initiative aims to shift the way technology products, including software, are built from the start, while Secure by Default focuses on making sure technology products are built with resilience against exploitation techniques. CISA Director Jen Easterly, speaking at Carnegie Mellon University about Secure by Design/Secure by Default, outlined the program as such:
"[Consumer] safety must be front and center in all phases of the technology product lifecycle — with security designed in from the beginning and strong safety features, like seatbelts and airbags, enabled right out of the box, without added costs. Security by Design includes actions like transitioning to memory-safe languages, having a transparent vulnerability disclosure policy, and secure coding practices."
CISA and more than half a dozen agencies — including the NSA and the FBI and cybersecurity agencies in Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand — strongly encouraged every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions.
They urged manufacturers to take ownership of improving the security outcomes for their customers. "Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense," CISA explained. "Only by incorporating Secure by Design practices will we break the vicious cycle of creating and applying fixes."
Now, four months after the release of its Secure by Design/Secure by Default initiative, CISA is finding it a challenge to make the initiative more than just an aspirational exercise. Here's what subject-matter experts say needs to happen.
[ Matt Rose explains: Why CISA Secure by Design Is Just a Starting Point | Learn more: Software Supply Chain Risk Report: Tools Gap Leaves Orgs Exposed ]
The challenges in the private market
While the abstract idea of Secure by Design/Secure by Default is appealing, one key problem for securing software is that the diversity of any software project creates massive challenges, said Jeff Williams, CTO and co-founder of Contrast Security.
"Every application is a beautiful and unique snowflake and requires expert analysis to determine the most critical threats and the appropriate defenses. There simply is no set of Secure by Design practices that can apply to every software project, and there never will be."
Williams said that rather than taking a one-size-fits-all approach and shifting liability to the maker of software, CISA should concentrate its efforts on transparency, which would allow each vendor to make security choices for its project and the market to decide which approaches are appealing.
"CISA strategy argues the vendor is the least-cost avoider of security vulnerabilities and breaches, and it threatens liability for damages caused. I agree with this. However, you can’t argue for that and say that the government is the best chooser of Secure by Design practices. They can’t have it both ways."
Chris Romeo, managing general partner at the cybersecurity startup investment and advisory firm Kerr Ventures, said that the primary challenge to CISA's efforts is the same as with any U.S. government regulation: getting organizations that are not required to comply to consider complying.
"CISA can only enforce Secure by Design practices to vendors that sell to federal agencies, and even then, getting the most prominent vendors to comply is challenging when federal agencies need those vendors' solutions for success."
Matt Rose, Field CISO for ReversingLabs, said the concept of Secure by Design/Secure by Default sounds great, but there is a huge obstacle to overcome in many organizations.
"Modern enterprise software has been evolving for years with updates, patches, and new versions. It is in a perpetual state of improvement and change. Secure by Design/Secure by Default may work for brand new software packages, but is a challenge for existing software programs that have already been designed, developed, and deployed to production."
The challenges with federal agencies
Secure by Design/Secure by Default also faces challenges with federal agencies. Chuck Brooks, president of Brooks Consulting International and an adjunct professor at Georgetown University, said a key problem is that protocols and past performances for vendors differ among federal agencies.
"The process will need to educate security leadership at these agencies to promote and eventually enforce Secure by Design. It can happen, but it will be a process that will take both time and a concerted effort."
The other problem for agencies: Secure by Design/Secure by Default is an enormous and expensive undertaking. Greg Touhill, director of the CERT division at the Software Engineering Institute at Carnegie Mellon University's Heintz College, said risk exposure in the existing software base across the national security and critical infrastructure environments is enormous.
"Replacing and upgrading all the insecure software will take years and be very expensive."
However, Touhill said agencies need to start somewhere, and modern, security-focused best practices such as employing the zero-trust security strategy, using memory-safe programming languages, and embracing DevSecOps "can have a profound impact in buying down our current and future risk exposure."
"Federal agencies need to set the example for others by embracing these concepts in their architectures, requirements, investments, and operations."
[ See Webinar: DevSecOps: A New Hope for Software Supply Chain Security ]
Chris Hughes, co-founder and CISO of Aquia and an adjunct professor at the school of cybersecurity and IT at the University of Maryland Global Campus, said Secure by Design arose from an inevitable problem within the software industry.
"Most vendors and software suppliers operate based on market incentives, and many consider cybersecurity to be a market failure that won't resolve itself voluntarily. This is why we are seeing increased calls for regulation to address systemic cybersecurity risk and drive the Secure by Design principles across the ecosystem."
Hughes said the federal government should be able to advance CISA's Secure by Design/Secure by Default's goals.
"The federal agencies have more avenues to drive Secure by Design practices by using their massive purchasing power and regulatory mechanisms to ensure software suppliers selling to the federal government abide by desired Secure by Design practices."
That can already be seen, he continued, in actions such as the issuance of Executive Order 14028, which addresses software supply chain security, zero-trust architecture, and incident response, as well as in OMB memos 22-18 and 23-16, which require federal agencies to use software provided by software producers who can attest, in writing, to complying with government-specified minimum secure software development practices, such as the NIST Secure Software Development Framework.
Building in security: A 50-year problem
Daniel Kennedy, research director for information security and networking at 451 Research, which is part of S&P Global Market Intelligence, said that getting organizations to design their software with security in mind has been a problem for decades. He noted that one keynote speaker at this year's Black Hat conference found a reference to "building security in" as long ago as 1972.
"That means we’ve been talking about this at some level for more than fifty years. There are market forces here around minimum viable products and considering security at a later date that will take more than good intentions or describing the problem, again, to correct."
The takeaway for Kennedy: Buy-in is tough. "Setting guidelines that regulatory bodies in the government can latch on to, however, may start to enforce some security baselines around these requirements among vendors."
Contrast Security's Williams said that while security experts see benefits in having federal agencies push Secure by Design/Secure by Default through contracting obligations, they're less enthusiastic about more direct government enforcement of the practices.
"Our software 'houses' are made of glass and desperately need better security. But having government say that all houses must be made of concrete almost certainly will not work."
Kerr Ventures' Romeo said he's not a fan of direct government enforcement driving any security best practices.
"We are not yet mature enough as an industry for enforcement. Enforcement at too early of a stage breeds compliance activities. The worst thing that could happen to Secure by Design is it becomes a compliance check-box activity."
Touhill said too that regulation should be a last resort of government. He said he'd rather have the software industry voluntarily embrace Secure by Design/Secure by Default principles.
Without getting hands-on, will CISA's initiative fail?
Kennedy said direct government intervention is the only way CISA's ambitions will be realized. For CISA's best practices to have the desired effect, they need to be leveraged by other regulatory enforcement bodies, he said.
"Without the teeth that come along with that, this becomes more of an educational exercise for the market and joins a litany of other well-meaning efforts."
Aquia's Hughes said many in the software industry now recognize that cybersecurity is a market failure that won't entirely address itself voluntarily. He said there simply aren't sufficient incentives in many cases for suppliers to make the appropriate financial and resource investments to fully adopt best practices around secure software development, and this is where factors such as regulation come into play, "and obviously that means government involvement."
"The idea that industry will merely voluntarily make the investments and police itself at the expense of maximizing shareholder value, return on investment, and profit margins is an idea we all must collectively acknowledge isn't realistic."
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key