A group of industry experts has issued a letter in response to the recent US Cybersecurity and Infrastructure Security Agency (CISA) Guidance Document on Secure by Design.
The letter calls on CISA to further integrate and advocate threat modeling within its documents, with the goal of helping manufacturers prioritize cybersecurity practices when designing their technology products. That is.
instruction is Changing the Balance of Cybersecurity Risk: Security-by-Design and Default Principles and Approacheswas jointly issued in April 2023 by CISA, the FBI, the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand.
It provides specific technical recommendations and outlines the core principles of security by design, in line with the goals set out in the Biden Administration’s National Cybersecurity Strategy announced in March 2023. I’m here.
However, a group of industry experts, authors, speakers, and academics argued that guidance should include specific details on how to implement security-by-design through threat modeling.
Threat modeling is a structured process for identifying, quantifying, and remediating security threats and vulnerabilities.
While the experts welcomed the guidance document’s reference to a “customized threat model” as a component of the product adoption process, “organizations can , we need to develop capabilities against threat models.” ”
They therefore call for more specificity on how to implement security-by-design through threat modeling, including a definition of “radical transparency” in this context.
The authors added that they wanted “clarification of the relationship between security guidance and radical transparency.” This includes defining where in the supply chain is good for transparency.
The seven-page letter also lists various more specific opportunities for improvement to the provisions within the guidance.
The letter’s signatories include writer and academic Adam Shostak, Epic Global CISO Alyssa Miller, Ilius Risk CEO Steven de Vries, and LINDDUN privacy threat modeling methodology researcher. including creator Kim Weitz.
Shostack commented: “This new guidance is a major step forward for secure design. A wide range of cybersecurity agencies are working together to develop joint principles to ensure manufacturers that the software and technologies they produce are secure from the start.” It’s the first time I’ve asked you to do more for your sake.
“However, we hope to go a step further by encouraging the widespread adoption of threat modeling in our current or future guidance. Effective threat modeling helps design secure software.” It is a prerequisite for and the best way to mitigate and mitigate vulnerabilities.”
