Several cybersecurity organizations around the world have jointly published a new set of guidelines to help manufacturers prioritize cybersecurity practices when designing products.
This document is endorsed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand.
Guidance, Rebalancing Cybersecurity Risk: Security-by-Design and -Default Principles and Approacheswas published Thursday and outlines certain technical recommendations and core principles.
“In order to create a safer future for technology and related products for our customers, authoring agencies are asking manufacturers to revamp their design and development programs so that only secure-by-design and default products can be shipped to customers. We urge you to do so,” the document said.
“A Secure-by-Design product is one where customer security is a core business goal, not just a technical feature. A Secure-by-Design product starts with that goal before development begins. Secure-by-Default products are safe to use “out of the box” with little to no configuration changes and security features at no extra cost,” the guide explains.
According to the authoring agency, incorporating these two principles into product design shifts much of the burden of security onto the manufacturer, reducing the likelihood that customers will suffer incidents due to misconfigurations or not-quite-patch patches. increase.
“CISA has made great strides in providing guidance to protect organizations from cyberattacks. It is also very effective in mitigating software defects.”
Read more about CISA’s recent efforts here: CISA Creates New Ransomware Vulnerability Alert Program
At the same time, security experts say organizations may find it difficult to adopt these practices without impacting their business from a technical or financial standpoint.
“The ‘design stage’ is a key component of the software development lifecycle (SDLC), and organizations continue to struggle to embrace security as part of this process,” added Kelly. “We hope that CISA’s latest recommendations will help make clearer the importance of building security into her SDLC from the beginning.”
CISA’s latest collaboration aligns with the Biden administration’s National Cybersecurity Strategy announced last month.
