Will CISA's Secure by Design pledge be a catalyst for better software security?

The Cybersecurity and Infrastructure Security Agency (CISA) took advantage of the RSA Conference this year to boost its efforts to get wider adoption of Secure by Design practices for increasing software security. At the event, CISA announced that 68 software makers — including Akamai, Amazon Web Services, Cisco, Google, HP, IBM, Lenovo, and Microsoft — had pledged to build greater security into their products over the coming year.

CISA Director Jen Easterly said in a statement:

More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.

Peer pressure could lead more companies to take the pledge. However, whether the pledge will expand beyond top-tier companies with mature programs and large staffs remains an open question.

Here's what the Secure by Design pledge is all about — and what subject-matter experts have to say about it.

See related Webinar: Secure by Design — Why Trust Matters for Software Risk Management

The Secure by Design pledge in focus

Casey Ellis, CTO and co-founder of Bugcrowd, lauded the effort. "The response was surprisingly strong and validates the idea that Secure by Design is on the right track when it comes to making secure easy and making insecure obvious."

Under the voluntary program, companies are pledging to meet these goals within one year:

• Demonstrate actions taken to measurably increase the use of multifactor authentication (MFA) across their products
  
• Demonstrate measurable progress toward reducing default passwords across their products
  
• Demonstrate actions taken toward enabling a significant, measurable reduction in the prevalence of one or more vulnerability classes across their products
  
• Demonstrate actions taken to measurably increase the installation of security patches by customers
  
• Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on the manufacturer's products, commits to not recommending or pursuing legal action against anyone engaging in good-faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards
• Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for their products, and issue CVEs in a timely manner for, at a minimum, all critical or high-impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation
  
• Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products

Ellis said he believed all of the goals are achievable within a year — depending on "corporate will, and funding to make sure that the commitments have follow-through," he said. "As long as these exist, the goals in the pledge are achievable."

The biggest challenge will be committing to the inconvenience of actually doing security well. While the controls laid out in the pledge are fairly basic, they all involve time and money.

Casey Ellis

Aspirational exercise, or security catalyst?

The Secure by Design pledge comes more than a year after the CISA launched its Secure by Design initiative — backed by the FBI, the National Security Agency, and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand. It could be a sign that its efforts thus far to spread the gospel have been more aspirational exercise than security catalyst.

David Lindner, chief information security officer at Contrast Security, said that It doesn’t hurt to revamp your security posture by implementing this approach, which includes incorporating security basics into the product design phase to make products secure out of the box. "That means enabling secure configurations by default and making security features such as multifactor authentication, logging, and single sign-on available at no additional cost," he said.

But Lindner said the pledge is not a significant factor for the success of the Secure by Design initiative.

I feel like the pledge is a PR stunt.

David Lindner

Daniel Kennedy, research director for information security and networking at 451 Research, which is part of S&P Global Market Intelligence, said the pledge is a continuation of the CISA's campaign to persuade companies to adopt some basic security practices. "This nonbinding pledge allows companies to market themselves alongside CISA, and CISA to continue to further socialize their messaging around things like default passwords, multifactor authentication, patching, and so forth," he said.

There’s an element of bringing awareness to these problems as part of a security program, and that’s what CISA seems to be trying to do.

Daniel Kennedy

Timothy A. Chick, applied systems group lead in the CERT Division at Carnegie Mellon University’s Software Engineering Institute, said the benefit of the pledge comes from so-called commitment bias theory. Once an individual or organization makes a public statement, they are more likely to succeed in accomplishing the goal, Chick explained. "Once you can get a few industry leaders to join the pledge, others will join due to the bandwagon effect, which can be attributed to psychological, social, and economic factors. Thus, a pledge can be an effective way to get companies to voluntarily improve the security attributes of their products."

Going beyond find-and-fix

Getting companies to adhere to Secure by Design principles has been challenging because many security teams are vulnerability-centric, said Bugcrowd's Ellis. "Secure by Design addresses prevention of vulnerabilities, as opposed to the 'whack-a-mole' posture created by a sole focus on find-and-fix," he said. "Starting simple and focusing on the basics first allows organizations to be proactive instead of reactive."

CMU's Chick echoed Ellis' critique. "Focusing on vulnerabilities is like driving backwards down the highway using your rearview mirror," he said.

Chick said nine out of 10 breaches are due to defects in design or code, so the only way to truly address the issue is to design and build more secure solutions. "New vulnerabilities can be introduced into code when fixing known vulnerabilities in addition to just implementing new features, thus good engineering practices, tools, and techniques are needed to continuously reduce the risk."

Reducing risk is more than just removing known vulnerabilities. It requires a layered security approach that must be designed into the system.

Timothy A. Chick

When push comes to shove

If the CISA's voluntary pledge program fails to make software more secure, it could provide ammunition for those who would like to see a tougher stance on the issue by government. Chick said that would be a mistake, because, for example, instead of direct government enforcement of Secure by Design best practices, the government could simply adjust the legal protections currently in place.

Chick explained that most software makers overly rely on limitation-of-liability clauses in their contracts or end-user license agreements to curb or even eliminate their liability if sued for a software defect or exploit that has resulted in a loss to users of their products or services

"While some protections are needed for the supplier, they should be contingent on the supplier using recognized best practices or face consequences due to negligence," he continued. "Thus, suppliers would be incentivized to invest in and self-enforce the use of more Secure by Design best practices."

The government has used a carrot-and-stick approach toward security for some time — and that has not done the job, Ellis said. "Based on the frequency of breaches, this approach isn't working. The initial goal of Secure by Design is to lay out the simple things and promote the benefits of doing them well with the ultimate goal of creating a positive reinforcement loop in the market."

Legacy AppSec is what's really holding back Secure by Design

Secure by Design is easier said than done. As noted in a recent RL Blog post, open-source project leads, commercial software development companies, and internal enterprise software engineering teams all must battle against application security (AppSec) inertia. Developers and AppSec pros alike still contend with ingrained software development patterns and legacy tool sets built for a more reactive approach to AppSec.

The blog post noted:

The reality: Software security practices are mired in after-the-fact application security testing (AST) and scan-and-fix cycles, fixations on legacy vulnerability management programs, and endless patch cycles. Additionally, some security pundits believe that CISA's Secure by Design guidelines don't yet address the complexity of the modern software supply chain.

Saša Zdjelar, Chief Trust Officer at ReversingLabs and a longtime security practitioner, said the work by CISA to publish its seminal paper on Secure by Design helped mature industry conversation about software security. But he stressed that there's still a lot of work needed before these principles — and the practices around them — can address the complexity of securing software today.