While Secure by Design is a well-established technology development practice, an announcement from the White House Office of the National Cyber Director (ONCD) this week is heightening awareness and emphasis on developing impenetrable products.
Adding emphasis to the imperative, ONCD’s new report, Back to the Building Blocks: A Path Toward Secure and Measurable Software, urges shifting the responsibility for cybersecurity away from individuals and small businesses and onto large organizations. Technology companies and the federal government are more capable of managing the ever-evolving threat, the report asserts.
What it Means to Be Secure by Design
Secure by Design makes cybersecurity is a core business requirement of technology products, not just a technical feature, according to the Cybersecurity & Infrastructure Security Agency (CISA). As such, Secure by Design principles are built into the system at every layer.
The process starts with a robust architecture design implemented during the design phase of a product’s development lifecycle. The goal is to reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption.
CISA advises that products should be safe to use out of the box, with secure configurations enabled by default and security features, such as multi-factor authentication (MFA), logging and single sign on (SSO), available at no additional cost.
The OMCD believes that creators of software and hardware “can have an outsized impact” on the nation’s shared security by factoring cybersecurity outcomes into the manufacturing process. This belief is in line with two major themes of the President Biden’s National Cybersecurity Strategy released nearly one year ago.
A component of Secure by Design is adopting memory safe programming languages. The ONCD believes that this adoption by technology manufacturers can prevent entire classes of vulnerabilities from entering the digital ecosystem. ONCD is also encouraging the research community to address the problem of software measurability to enable the development of better diagnostics that measure cybersecurity quality.
“We, as a nation, have the ability — and the responsibility — to reduce the attack surface in cyberspace and prevent entire classes of security bugs from entering the digital ecosystem, but that means we need to tackle the hard problem of moving to memory safe programming languages,” stated National Cyber Director Harry Coker.
How One Company Builds Secure by Design Systems
OP[4] is an emerging player in the product security space, having recently launched an advanced version of its product security platform. The platform, which has been developed for and used by the U.S. government for the past six years, has now been expanded to help original equipment manufacturers and integrators “build systems that are secure-by-default,” the company said.
The platform provides developers with the ability to identify, manage and mitigate cyber risk for systems throughout the entire product lifecycle, from design and development to deployment and end of life, OP[4] said.
To advance its Secure by Design business, the company appointed Daniel Velasquez as its new executive vice president this week. Velasquez previously served as a data integration and operational solutions expert for the Central Intelligence Agency (CIA). He has also held leadership positions at Aspis Cyber Technologies, Outcome Security and Mandiant, where he led teams in building cybersecurity solutions.
“Through these roles, I’ve seen firsthand the importance of protecting critical assets and infrastructure and have gained a deep understanding of the need for security software that can not only identify and mitigate vulnerabilities before hackers do but can help systems developers build safer systems in the first place,” Velasquez said.
Education and Further Reading
An ISC2 Cybersecurity Workforce Study reported that 26% of respondents indicated a skills gap at their organizations in application security, and 23% anticipate application security skills to be most in-demand for security professionals looking to advance their careers through new jobs and promotions.
ISC2, a nonprofit member organization for cybersecurity professionals, expects the demand for secure software development to rise in the coming years. In response to the need for SDLC skills, ISC2 recently launched its Certified Secure Software Lifecycle Professional (CSSLP) Self-Paced Training. The training uses AI to deliver personalized learning resources to those looking to obtain the CSSLP certification.
Earning a CSSLP certification signifies advanced skills in authentication, authorization and auditing throughout the software development lifecycle. ISC2 developed the training to help cybersecurity pros skill up in high-demand areas and demonstrate their expertise in secure technology development and lifecycle management.
Further Secure by Design insights come via the new report, The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously, which explains how software manufacturers can eliminate memory safety vulnerabilities by transitioning to memory safe programming languages. The report is co-authored by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the cybersecurity authorities of Australia, Canada, the United Kingdom and New Zealand.