The U.S. and a number of its international partners on Thursday issued a roadmap for software manufacturers to design their products with security front and center, a concept contained within the Biden administration’s new cybersecurity strategy.
The National Cybersecurity Strategy released in early March includes a pillar that calls for shaping market forces to drive security and resilience by ensuring software is created with security-by-design principles before it becomes part of larger products.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in a statement. “These secure by design and secure by default principles aim to catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default was authored by CISA, the FBI, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s Computer Emergency Response Team, United Kingdom’s National Cyber Security Centre, Germany’s Federal Office for Information Security, and the Netherland’s National Cyber Security Centre.
Recommendations offered in the new framework include software manufacturers taking “ownership of the security outcomes of their customer’s purchase,” being transparent and accountable in part through accurate vulnerability advisories, and having company leaders prioritize security and implement an organizational structure that reinforces this ethos.
The guidelines are not a top-down mandate from the respective governments but part of an ongoing conversation about working to secure-by-design, the international partners said. CISA said to provide feedback to [email protected].