Today, we would like to share with you the latest blog in our series of blogs covering secure software development.
CISA’s “Secure by Design” Guidelines
In the realm of software development, where innovation races against security threats, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) has been leading from the front with its “Secure by Design” guidelines (the “Guidelines”). CISA defines “secure by design” somewhat simplistically to mean that “technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.” The Guidelines, pivotal for any serious software technologist, lay out a strategy not just for securing software but for embedding security within its DNA.
After releasing the Guidelines, CISA received feedback from hundreds of individuals, companies, and trade associations. According to CISA, the “most common request in the feedback was to provide more detail on the three principles as they apply to both software manufacturers and their customers.” Consistent with its mission, CISA prepared a whitepaper to “expand on the original report and touch on other themes such as manufacturer and customer size, customer maturity, and the scope of the principles.” We will discuss CISA’s whitepaper in this blog post.
CISA’s Caveat
CISA starts the whitepaper with a straightforward acknowledgment: “Software is everywhere, and no single report can adequately cover the entire range of software systems.” This acknowledgement sets the stage for the need to continuously evolve and adapt our software development practices to enhance security effectively.
The Three Pillars of Secure by Design
The First Pillar—Take Ownership of Customer Security Outcomes
CISA advises that software companies “need to take ownership of security outcomes for their customers, not just their own infrastructure.” Software companies can accomplish this by focusing on “application hardening, application features, and application default settings.” Let’s discuss each of these concepts in order.
“Application hardening” is achieved by using processes and technologies that raise the cost for a malicious actor wishing to compromise applications. “The idea is that security must be ‘baked in,’ and not ‘bolted on.’ By baking in security, software manufacturers can not only increase their customers’ security but also increase their products’ quality.” CISA identifies several “tactics” for application hardening, including “ensuring user input is validated and sanitized, and is not entered directly into code (i.e., by using parameterized queries instead), using a memory safe programming language, using rigorous software development life cycle (SDLC) management, and using hardware-backed cryptographic key management.”
CISA explains the “application features” concept as including “capabilities” in a product or service “in ways that help maintain or increase the security posture of a customer.” CISA identifies the following examples of security-related features: transport layer security (TLS) for all network connections, single sign on (SSO) support, multifactor authentication (MFA) support, security event audit logging, role-based access control (RBAC), and attribute-based access control (ABAC).
“Application default settings” refers to the need to ensure that security related features are configurable to make it easier for customers to integrate the product into their existing environments and workflows. Applications that come with secure default settings allow customers to use fewer resources in enhancing the security of their technology stack right from the start.
CISA closes the discussion about the first pillar with a section captioned “Demonstrating the Principle.” In it, CISA references the following “common phrase” which CISA believes “summarizes the problem”—i.e., “the software industry needs more secure products, not more security products.” CISA believe the industry can “lead that transformation” by following six “Secure by Default Practices,” eight “Secure Product Development Practices,” and four “Pro-Security Business Practices.”
At bTrade, we deeply integrate the principle of "Taking Ownership of Customer Security Outcomes" into our Managed File Transfer solutions. We proactively focus on application hardening, feature-rich security offerings, and secure default settings that align closely with our customers' operational environments. By embedding robust security measures from the outset—such as stringent input validation, advanced encryption methods, and comprehensive role-based access controls—we ensure our products not only meet but exceed the security expectations of our customers. This commitment is part of our core philosophy to not just provide secure products, but to enhance the overall security landscape for all our clients, ensuring they can operate safely and efficiently in today’s digital world.
The Second Pillar—Embrace Radical Transparency and Accountability
CISA emphasizes the need for software companies to adopt a culture of transparency and accountability in their operations and relationships. This approach involves openly sharing information about security practices, vulnerabilities, and operational procedures with customers and stakeholders.
CISA suggests that companies should disclose their security measures, processes, and the effectiveness of these measures. This openness not only builds trust with customers but also drives the industry towards higher standards of security. For instance, CISA recommends sharing details about the encryption standards used, the frequency and processes of security audits, and the methodologies for intrusion detection and response.
Accountability in security requires companies to take responsibility not just for successes but also for failures. CISA highlights the importance of incident response plans that are quickly actionable and transparent to the affected parties. These plans should outline how the company will mitigate damage, notify affected users, and prevent future occurrences.
Effective communication plays a critical role in maintaining security transparency and accountability. CISA advises firms to maintain ongoing dialogue with customers about the state of their data security, including regular updates about potential threats, changes in security policy, and improvements in security technology.
To demonstrate their commitment to this principle, CISA encourages companies to engage in practices such as publishing transparency reports, participating in independent security audits, and discussing security strategies in public forums and with customers. These actions show a firm’s dedication not just to protecting customer data, but to improving the entire ecosystem’s security landscape.
CISA concludes this section by stressing the importance of these practices in changing industry norms. They argue that by setting high standards for transparency and accountability, software companies can lead by example, fostering a more trustworthy and secure digital environment.
In our Managed File Transfer solutions, bTrade takes these principles to heart. We regularly publish transparency reports detailing our security practices and performance, and our incident response strategies are communicated clearly to customers. We also engage in frequent third-party audits and share these results to assure customers of our commitment to security excellence and continuous improvement.
This approach not only helps in adhering to CISA’s principles but also ensures that our customers have the utmost confidence in our ability to manage and protect their critical data securely and responsibly.
The Third Pillar—Lead from the Top
“Lead from the Top” is a common sense point which emphasizes the critical role of leadership in shaping an organization’s security posture. “Leaders at all levels must understand their roles in promoting cybersecurity, ensuring that they not only support but drive the security initiatives.” This approach ensures that cybersecurity is not siloed as a technical issue but recognized as a fundamental aspect of overall business health.
At bTrade, we live by the mantra that strong leadership is pivotal to robust cybersecurity. Our executives actively engage in cybersecurity decisions and promote a culture of security awareness throughout the company, in the following respects:
· Regular Training and Engagement. Our leaders participate in regular cybersecurity training alongside our employees, highlighting the importance of staying updated on the latest security threats and trends.
· Policy Development and Enforcement. Leadership involvement is crucial in developing and enforcing security policies. By being actively involved, our leaders ensure that these policies are not just documents but active elements of our daily operations.
· Resource Allocation. Our leaders ensure that adequate resources are allocated to security initiatives, demonstrating a tangible commitment to these efforts.
· Transparent Communication. Our leaders maintain transparent communication lines about security policies, expectations, and the state of our cybersecurity landscape. This openness fosters trust and encourages an organizational-wide dialogue about security.
· Engagement with Stakeholders. bTrade leaders regularly engage with customers, partners, and industry leaders to discuss and align on security practices, demonstrating our leadership beyond the confines of our organization.
By embodying the “Lead from the Top” principle, bTrade ensures that cybersecurity is ingrained in the corporate ethos and operational strategies. Our leadership’s proactive stance not only enhances our security framework but also positions us as a leader in the secure managed file transfer market. As we move forward, bTrade continues to be guided by the principle that excellent leadership is at the heart of excellent security.
Conclusion
CISA's “Secure by Design” principles are not just guidelines but a manifesto for how modern software should be built. By focusing on ownership, transparency, and leadership, these principles aim to create a secure software ecosystem where security is not an add-on but a fundamental aspect of development. As technologists, embracing these principles can lead to safer, more reliable software that stands the test of evolving cyber threats.