Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialRecent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) about securing software by design and default has garnered praise from the security community.
The guidance has an impressive array of developers. In addition to CISA, backers include the FBI, the NSA, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.
However, like many efforts by CISA in this domain, the Secure by Design initiative is a good start, not an end in itself. Here's what experts say about Security by Design's impact on software supply chain security and security operations (SecOps).
See Webinar: Secure by Design: Why Trust Matters for Risk ManagementLearn more: Supply Chain Risk Report: Tools Gap Leaves Orgs Exposed
Jeff Williams, CTO and co-founder of Contrast Security, said the document, titled "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default" (PDF), shows multi-national cooperation "that so clearly focuses on the importance of software security and transparency."
CISA's Secure by Design confirms that governments of the world recognize the importance of software to healthcare, finance, governments, elections, utilities, social media, education, Williams said.
Jeff WilliamsThis demonstrates that they are determined to ensure that market failures in the software industry don’t endanger consumers who rely on this software.
The CISA initiative is based on five key principles. It states that security controls should be:
While ReversingLabs Field CISO Matt Rose welcomes the initiative, it's not a net-new documentation of best practices, he said.
Matt RoseIt's a very comprehensive document, talking about approaches to making sure that application or software developers are actually designing and implementing the correct checks when building software applications. But this isn't earth-shattering stuff. This has existed for years.
Chris Hughes, CISO and co-founder of Aquia, said the new CISA initiative embodies what has been a prominent aspect of the recent public dialogue around cybersecurity and software.
Hughes wrote in his Resilient Cyber blog on Substack:
Chris HughesThe overarching concept is that software and technology suppliers and vendors are best positioned to drive down systemic risk and fix vulnerable software products by prioritizing cybersecurity alongside other business-driving factors, such as speed to market and profitability, rather than making downstream consumers and citizens bear the cost of software failures and incidents tied to insecure products and applications, which is largely the model we live in now.
The most exciting part of the document is its call for organizations to "embrace radical transparency and accountability,” Williams said.
Jeff WilliamsIf vendors adopt this aspect of the document and share their pride in a strong software security program, the entire software market can change. We could even see competition that drives software vendors to want to offer the most secure software.
However, he doesn't think the initiative is clear as to what would motivate a company to be transparent in today’s software market. "We are starting to see transparency laws and regulations emerge from governments, but I would have liked to see support for this trend in this document,” Williams said.
Some of the advice in the CISA Secure by Design initiative will be a tough sell in many development organizations, Rose added.
Matt RoseThe document goes as far as to say that new features should take a backseat to secure software design principles. That sounds good on paper, but how many companies are going to sacrifice additional revenue, driven by new features and functions, just to be secure?
CISA's guidance also emphasizes the value of threat modeling in the Secure by Design scheme of things, said Rose.
Matt RoseThe question is how do you do threat modeling in the modern CI/CD process, since the code is constantly changing? Typically in a waterfall environment threat modeling started in the inception phase, the design phase, but ongoing threat modeling is very difficult to do with the aggressive release cycles of software today.
He added that software supply chain security wasn't given the treatment it deserves in the CISA initiative, noting its focus on traditional app sec tools.
Matt RoseIf I want to design a secure product, activities compromising my software supply chain are very important to me. They're just as important as things in the document, such as vulnerabilities identified by a DAST, threat modeling, memory safe languages, and single sign-on.
Although the CISA guidance isn't aimed at legacy software, it could still influence security practices in industries that depend on older programs. "This push by CISA to introduce effective cyber defenses for individual consumer and small business products should be another wake-up call for infrastructure operators," said Duncan Greatwood, CEO of Xage Security.
Duncan GreatwoodAfter all, it would be ironic if the cyber attack prevention for devices in a typical home came to be stronger than those blocking attacks against critical infrastructure.
CISA's guidelines are also pushing cybersecurity toward zero-trust security, he said. "The CISA principles are intended to improve the protection of each individual device, even in the event that attackers are able to compromise the user's network, which is a core tenet of zero trust," Greatwood explained.
Some guidance in the document is aspirational and often dated, said Williams. "The discussion of secure-by-default and secure-by-design is straight out of 2000."
He also found the list of tactics puzzling. "It’s not that what’s there is necessarily wrong, but it seems to suggest some minor tactics, rather than what I’d consider the fundamental practices that lead to secure-by-design," he explained.
CISA Secure by Design can give security teams additional negotiating ammunition when meeting with C-level executives and project managers about security needs, Rose noted. In its current state, however, he thinks its impact will be limited.
Matt RoseIt's a starting point, not an end point.
See related ReversingGlass:
Matt Rose explains why CISA's Secure by Design is a starting point alone in his ReversingGlass glassboard series.
Join Nov. 14 Webinar: Secure by Design: Why Trust Matters for Risk Management Learn more: Supply Chain Risk Report: Tools Gap Leaves Orgs Exposed
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial