April 18, 2023 By Sue Poremba 4 min read

The traditional approach to security has been to get the product to market fast and worry about security later. Unfortunately, that approach has never really worked. It puts too much of the cybersecurity responsibilities on the customer and leaves many vulnerabilities primed for exploitation at any point in the supply chain.

As cyber threats become more malicious, pressure is building to prevent a disastrous attack on critical infrastructure or the economy. Because private and public interests didn’t have the motivation or the incentive to make changes around building security into the development process, the Biden Administration stepped in with an executive order in May 2021. This EO addresses the need to modernize technology and security in several ways, such as a new NIST framework to secure the software supply chain and partnerships with Big Tech to bolster security awareness training and skills. Another area highlighted in this EO is the need for improved secure-by-design principles and development.

“By design, we’ve normalized the fact that technology products are released to market with dozens, hundreds or thousands of defects — such poor construction would be unacceptable in any critical field,” said Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), in a talk at Carnegie Mellon in February.

Three core principles of Secure-by-design

CISA established three core principles around secure-by-design to support critical infrastructure security. They are:

  • The burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.
  • Technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market.
  • Leaders in technology manufacturing should explicitly focus on building safe products, publishing a roadmap that lays out the company’s plan for how products will be developed and updated to be both secure-by-design and secure by default.

To better understand why CISA is pushing for secure-by-design architecture, we first need to understand what secure-by-design is and why these principles are vital in the overall development process.

What is secure-by-design?

Secure-by-design, also referred to as security by design, is an approach that brings cybersecurity into software and hardware development from the beginning. It considers security for all components of the development process at every stage of the development process.

“With this approach, it means components and systems can all operate together, providing security and privacy,” Rashid Ali, enterprise solutions manager at WALLIX, told Spiceworks.

The point of secure-by-design principles is to decrease the need for cumbersome cybersecurity fixes like patches and software updates that address the vulnerabilities found after the product has gone to market. Secure-by-design architecture should address both newly designed code and open-source code used by developers.

Secure-by-design’s importance to cybersecurity

Most software is a combination of material drawn from open-source libraries and third parties, along with original code written in-house. Developers have control over what they create but not what is out there for public use. And while anyone can fix the flaws in open source, there are no universal patches to apply.

One vulnerability that sneaks through anywhere in the software supply chain can wreak havoc, taking down business networks or opening the door to ransomware attacks. The SolarWinds breach remains the prime example of how software can be exploited and impact government and private industry. It’s not an exaggeration to say that one attack within the software supply chain could devastate the entire country. This is why the White House has increased its focus on national cybersecurity, particularly in the software supply chain.

There is no way to eliminate all vulnerabilities during the development process, but you can anticipate them. By implementing secure-by-design principles, you not only build-in processes to test codes and features through each phase of development but also build out the product so fixes and updates can be added in the future. The firmware in many IoT devices is an excellent example of how a lack of secure-by-design architecture hinders cybersecurity. Anyone who has ever tried to implement software updates to their routers, printers or security cameras knows how difficult it is. Threat actors know that, too.

How to implement secure-by-design principles

All software is subject to attack as soon as it goes live. The objective of secure-by-design is to close the vulnerabilities before the product is available to the public. To ensure a secure end product, organizations can adhere to the principles of secure-by-design. According to OWASP’s Secure Design page on GitHub, these principles include:

  • Fail Safe or Fail Secure
  • Layered Defense
  • Least Privilege
  • Separation of Duties
  • Open Design
  • Identifying the Weakest Link.

To implement security-by-design principles, the development team should work in partnership throughout the entire design process. Developers are trained to code, not to recognize potential security flaws. It is the security team who will put the principles for secure-by-design into action. In fact, the security team should be consulting every step of the design process of both software and hardware devices. They can then offer counsel, including factors like network connections and plug-in components, without compromising security.

Secure-by-design will be a culture shift for many organizations. The development team may have never collaborated on security before, and leadership will have to recognize that they may experience some delays in getting the product to market. But it will be a more secure product: one that will finally take the bulk of cybersecurity responsibilities away from the end user and keep the supply chain safer overall.

More from Risk Management

What can businesses learn from the rise of cyber espionage?

4 min read - It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today