What are the “Secure by Design” and “Secure by Default” approaches to software security?

Remember when we all realized that the responsibility for our global plastic pollution problem didn’t just lie with the consumer, but also with the manufacturer? 

The same is now happening for the tech sector.

This is the first blog post in a three-part series. Keen to read the second and third posts too?

In a world-first, seven global governments have come together to create a set of principles that says the responsibility of safe and secure technology is on the manufacturer rather than the customer.

This is huge. Let me explain why.

The case for building security in from the start

From the top down, we’re shifting the balance of cyber security risk from the consumer to the manufacturer. Why? Because quality software needs to have security built in. 

Around the world, we currently work with a “vulnerable by design” approach, and it’s showing. Software supply chain cyber attacks are costing us $45.8 billion globally in 2023, and by 2026, that cost is predicted to exceed $80.6 billion.

This is because, at the moment, tech manufacturers rely on fixing vulnerabilities only after customers have started using their products, through patches that users need to install themselves. By shifting to a Secure by Design and Secure by Default approach, we break this cycle of creating and applying fixes.

Secure by Design means security has been taken into account from the design phase onwards, and Secure by Default means the product that is created is secure out of the box, with no extra configuration needed.

The government agencies involved in this groundbreaking guide on shifting the balance of cyber security risk are the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and seven international partners, including New Zealand's National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ).

So, how does this shift in global mindset affect you? 

Introducing software product security principles

The guide puts forward three main principles to help software manufacturers weave software security into their design processes before developing their products.

  1. The burden of security is on both software manufacturers and customers

  2. Software manufacturers need to take ownership of their product’s security, rather than pushing that responsibility solely on to the user once they’ve bought the product.

  3. Transparency and accountability is everything

  4. Being proud of building safe and secure products is something to aim for, and doing so will make you stand apart from the competition.

  5. To achieve a Secure by Design approach, you’ve got to build an organizational structure that supports it

  6. The guide acknowledges both software developers and team leads. Technical subject matter expertise is critical to product security (hi there, you smart software developer cookie), but primary decision makers (looking at you, team leads) are key in implementing change in an organization.

Some key points are:

  • Security controls need to align with Secure by Default principles

  • Resources need to be allocated to replace legacy development practices with Secure by Design practices

  • Open lines of communication need to be created for feedback — both internally and externally — on product security issues

  • Reporting needs to be put in place about the effectiveness of the Secure by Design and Default models — specifically, about how they help customers by slowing the pace of security patches, reducing configuration errors, and minimizing attacks.

The tactics that will get you there

What tactics can you use to implement the principles?

Create routine meetings with your leadership team

This is a total organization, from top to bottom, type of change, y’all. We need to change the way business operates, incorporating security from start to finish. Key to this is an open line of communication, so book in those regular meetings to update the leadership team on progress and show the positive impact of weaving security into everything you do.

Drive home the importance of software security and its impact on business success

Communicating the impact of software security on business success in those regular meetings is vital. Show your leadership team the cost of not acting. How much does it cost your organization each year to fix security issues after software is deployed? How much would you save by thinking about security before you build software? Financial cost will definitely get people’s attention, but not all of the key measures of success are monetary. You may even see a change in customer satisfaction because the software you’re putting out is secure from the start, so fewer patches are needed. 

Use a tailored threat model during development

We’ve been saying this for years now, but the best software teams recognize that you can’t have quality software without building in security from the get-go. Developing a threat model as the system is being built allows our teams to anticipate security risks and plan the preventative and detective controls the system will need to address them.

Wrapping it up

Things are changing - for the better. The balance of cyber security risk is shifting from the consumer to the manufacturer. Quality software will have security built in, and we couldn’t be happier about it.

Previous
Previous

What Secure by Design means for software development teams

Next
Next

How to improve software security outcomes by teaching good engineers to be bad people