Skip to main content
Software

CISA fleshes out ‘Secure by Design’ action items for software makers

Buyers urged to thoroughly vet products, enforce high standards.
article cover

Yuichiro Chino/Getty Images

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

If you want something done right and you can’t do it yourself, leverage the power of the consumer to make it happen.

At least that’s the message from the Cybersecurity and Infrastructure Security Agency (CISA)’s updated guidelines for software manufacturers, released Monday.

The guidance expands on CISA’s April “Secure by Design” framework, which called for manufacturers to take responsibility for the security of their products, communicate transparently about vulnerabilities, and prioritize security in product development from the C-suite down.

The updated guidelines advise software manufacturers on how they can “demonstrate these principles to their customers and the public, emphasizing that software manufacturers must be able to compete on the basis of security,” according to a press release.

Manufacturers should clearly state how they’re weaving security into their business models, while software-buying enterprise customers should ask “hard questions” about their vendors’ security practices and demand clear documentation, CISA advised in its report.

“Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure by design principles,” CISA Director Jen Easterly said in a statement. “This joint guidance gives them the tools to do exactly that.”

According to the document, those tools include doing away with default passwords, conducting field tests and building the results into the final product, streamlining security-measure guides that accompany products, and offering secure configuration templates.

Such security measures should be automatically built into off-the-shelf products for no extra charge, just like “seatbelts are included in all new cars,” the report said.

The framework echoes a larger government effort to map out strategies for a safer software ecosystem and set forth a national cybersecurity strategy after major security lapses like Log4j, which widely distributed a vulnerability via open-source software.

In the near future, CISA said it and its partner organizations from across the globe will ask for feedback on the revised guidelines and solicit information from companies on what they’re doing to incorporate secure-by-design principles.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.