CISA Secure by Design: 'It's a starting point, not an endpoint'

Recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) about securing software by design and default has garnered praise from the security community.

The guidance has an impressive array of developers. In addition to CISA, backers include the FBI, the NSA, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.

However, like many efforts by CISA in this domain, the Secure by Design initiative is a good start, not an end in itself. Here's what experts say about Security by Design's impact on software supply chain security and security operations (SecOps). 

See Webinar: Secure by Design: Why Trust Matters for Risk ManagementLearn more: Supply Chain Risk Report: Tools Gap Leaves Orgs Exposed

Broad support for key principles is a good start

Jeff Williams, CTO and co-founder of Contrast Security, said the document, titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default" (PDF), shows multi-national cooperation "that so clearly focuses on the importance of software security and transparency."

CISA's Secure by Design confirms that governments of the world recognize the importance of software to healthcare, finance, governments, elections, utilities, social media, education, Williams said.

This demonstrates that they are determined to ensure that market failures in the software industry don’t endanger consumers who rely on this software.

Jeff Williams

The CISA initiative is based on five key principles. It states that security controls should be:

• A fundamental principle of product design
• Built into products by default
• Easy for users to understand and use
• Effective and efficient
• Continuously monitored and updated

While ReversingLabs Field CISO Matt Rose welcomes the initiative, it's not a net-new documentation of best practices, he said.

It's a very comprehensive document, talking about approaches to making sure that application or software developers are actually designing and implementing the correct checks when building software applications. But this isn't earth-shattering stuff. This has existed for years.

Matt Rose

Shifting risk from end-users to development teams

Chris Hughes, CISO and co-founder of Aquia, said the new CISA initiative embodies what has been a prominent aspect of the recent public dialogue around cybersecurity and software.

Hughes wrote in his Resilient Cyber blog on Substack:

The overarching concept is that software and technology suppliers and vendors are best positioned to drive down systemic risk and fix vulnerable software products by prioritizing cybersecurity alongside other business-driving factors, such as speed to market and profitability, rather than making downstream consumers and citizens bear the cost of software failures and incidents tied to insecure products and applications, which is largely the model we live in now.

Chris Hughes

'Embrace radical transparency and accountability'

The most exciting part of the document is its call for organizations to "embrace radical transparency and accountability,” Williams said.

If vendors adopt this aspect of the document and share their pride in a strong software security program, the entire software market can change. We could even see competition that drives software vendors to want to offer the most secure software.

Jeff Williams

However, he doesn't think the initiative is clear as to what would motivate a company to be transparent in today’s software market. "We are starting to see transparency laws and regulations emerge from governments, but I would have liked to see support for this trend in this document,” Williams said.

Some of the advice in the CISA Secure by Design initiative will be a tough sell in many development organizations, Rose added. 

The document goes as far as to say that new features should take a backseat to secure software design principles. That sounds good on paper, but how many companies are going to sacrifice additional revenue, driven by new features and functions, just to be secure?

Matt Rose

Threat modeling targeted, but challenges remain

CISA's guidance also emphasizes the value of threat modeling in the Secure by Design scheme of things, said Rose.

The question is how do you do threat modeling in the modern CI/CD process, since the code is constantly changing? Typically in a waterfall environment threat modeling started in the inception phase, the design phase, but ongoing threat modeling is very difficult to do with the aggressive release cycles of software today.

Matt Rose

He added that software supply chain security wasn't given the treatment it deserves in the CISA initiative, noting its focus on traditional app sec tools.

If I want to design a secure product, activities compromising my software supply chain are very important to me. They're just as important as things in the document, such as vulnerabilities identified by a DAST, threat modeling, memory safe languages, and single sign-on.

Matt Rose

Pushing zero trust for SecOps teams

Although the CISA guidance isn't aimed at legacy software, it could still influence security practices in industries that depend on older programs. "This push by CISA to introduce effective cyber defenses for individual consumer and small business products should be another wake-up call for infrastructure operators," said Duncan Greatwood, CEO of Xage Security.

After all, it would be ironic if the cyber attack prevention for devices in a typical home came to be stronger than those blocking attacks against critical infrastructure.

Duncan Greatwood

CISA's guidelines are also pushing cybersecurity toward zero-trust security, he said. "The CISA principles are intended to improve the protection of each individual device, even in the event that attackers are able to compromise the user's network, which is a core tenet of zero trust," Greatwood explained.

A baseline is born

Some guidance in the document is aspirational and often dated, said Williams. "The discussion of secure-by-default and secure-by-design is straight out of 2000."

He also found the list of tactics puzzling. "It’s not that what’s there is necessarily wrong, but it seems to suggest some minor tactics, rather than what I’d consider the fundamental practices that lead to secure-by-design," he explained.

CISA Secure by Design can give security teams additional negotiating ammunition when meeting with C-level executives and project managers about security needs, Rose noted. In its current state, however, he thinks its impact will be limited.

It's a starting point, not an end point.

Matt Rose

See related ReversingGlass:

Matt Rose explains why CISA's Secure by Design is a starting point alone in his ReversingGlass glassboard series.

Join Nov. 14 Webinar: Secure by Design: Why Trust Matters for Risk Management Learn more: Supply Chain Risk Report: Tools Gap Leaves Orgs Exposed