Commentary
In April, the Cybersecurity and Infrastructure Security Agency's “Secure by Design” initiative celebrated its first anniversary. CISA In a blog post Outline your accomplishments over the past year.
A year ago, advocates of secure design warned that this initiative, among others, National Cybersecurity StrategyThis makes secure design a key tenet of the Biden administration's approach to addressing insecure software.
According to CISA, the overall goal of this effort is to “shift the responsibility for security from end users to technology manufacturers.” So how successful has this effort been?
This is the first grade report card.
Raising awareness
CISA's focus on secure design and efforts to place it on the cyber agenda have significantly increased awareness of its importance. Principles and Guidelines Helping technology providers and software developers implement secure designs; blog and AlertWe ensure that news and information is delivered continuously.
Additionally, notable global initiatives aligned with secure design principles include: 16 other countries It spread beyond U.S. borders and sparked media attention on the issue.
CISA's influence, reach, and the resources it has dedicated to raising awareness of security by design have made a huge difference, and CISA is now much more part of everyday conversations about software and product security – an undeniable success.
Class A
Practical Actions
The big headline to come out of the National Cybersecurity Strategy on “security by design” was the announcement that security responsibility would be introduced for software providers. In a February update, the National Cyber Director stated: Harry Coker was quoted as saying: His office is working with academics and legal experts to build an accountability system.
Introducing liability requires legislation and political support and cannot be achieved by CISA alone. But to truly shift the responsibility from the end user to the manufacturer and ensure that software is designed to be secure when it hits the market, we need to hold the manufacturer accountable. This is a game changer. Without this, we will not be able to progress as quickly as we need to.
But on the way to passing this law, other important advances were made: Companies that supply software to the federal government will now be required to certify that they have used secure development practices. Incorporating secure design into the public procurement process and making it mandatory is a major step forward.
Rating: B-
Attention to detail
CISA’s “security by design” guidance demonstrates a willingness to not just tell people to do something, but to show them how to do it.
However, this guidance did not adequately explain how to deploy threat modeling, a fundamental element of secure design.
Effective threat modeling is a prerequisite for designing secure software and is the best way to build secure software from the start. In response to CISA guidance, we collaborated with a group of world-leading threat modeling experts to “Threat Modeling Manifesto” Co-authored Letter to CISA Clarifying the need for future guidelines on security at the design stage; Threat Modeling Adoption.
CISA has updated its guidance to include more information about threat models, including transparency about threat models, but it needs to go further and provide more detail on how to effectively implement a threat model.
Rating: C
Vision for the future
As we expand our safe design efforts, CISA has established three new areas of focus:: Encouraging customers to think about “security on demand,” working to understand the economic factors that impact software security, and working with the education community to embed security in computer science and coding programs.
These are all important areas and, while not as ambitious as previous efforts, are very welcome. The lack of developer experience and understanding of security is a huge issue, which makes the focus on education especially important. We need to do more not only to upskill the next generation of developers, but also to help educate the people who are designing software today.
Rating: B+
Final results
The Biden Administration’s recognition of the importance of security by design in its National Cybersecurity Strategy and subsequent implementation plans was a real wake-up call for the software development industry.
CISA’s Secure by Design soon followed, demonstrating that the government was serious about it and making considerable progress in a short space of time.
While truly game-changing liability legislation may still be a long way off, important interim steps have been taken to build security by design into Federal Acquisition Regulations—a real statement of intent that is having an impact in practice.
There is still a lot of work to be done, especially giving people the tools to truly implement secure designs, but so far this effort has been successful.
Overall rating: B+