In Q2 2023, organizations faced an average of 1,258 attacks per week, marking the highest number of average weekly global cyberattacks in two years.

As cyber threats continue to increase and evolve, the US federal agencies CISA, NSA, and FBI as well as international partners in Australia, Canada, UK, Germany, Netherlands, New Zealand, Czech Republic, Israel, Singapore, Korea, Norway, and Japan are calling for technology providers to take on more ownership for the security of their products rather than relying on customers to constantly perform monitoring, routine updates, and damage control on these products.
By shifting the burden from consumers and small organizations that use technology to the actual tech providers and developers, these agencies believe the world will be better able to understand, manage, and reduce risk to the cyber and physical infrastructure that people rely on every day.

To realize this future, CISA and its international partners are calling on every technology provider to take ownership at the executive level to ensure their products are secure by design. Below we’ll take a closer look at what this concept entails and how it can be reasonably and effectively implemented.

What does secure by design mean?

Secure by design is an approach to software development that prioritizes security as a core business requirement rather than a technical feature or afterthought. Taking this approach, tech providers build security into the design process as well as every other stage of a product’s development lifecycle in order to identify and mitigate potential vulnerabilities before they are introduced to the market. The ultimate goal is to realize a future where consumers can trust the safety and integrity of the technology that they use every day.

In order to achieve this, organizations have to create products that are both secure by design and default.

Secure by design products are purposely designed, built, tested, and maintained to reduce the number of exploitable flaws before they are introduced to the market for broad use. Secure by default products are products that are secure to use out of the box. Meaning, they are designed to be resilient against prevalent threats, vulnerabilities, and exploitation techniques without end users having to take additional steps to secure them. These products have secure configurations enabled by default and security features such as multi-factor authentication (MFA), logging, and single sign on (SSO) available at no additional cost or extra licensing required.

Shipping secure by design and secure by default products will drastically reduce the number of exploitable flaws that can result in cyber attacks and breaches. Let’s take a closer look at why this is important below. 

Why is secure by design important?

As the threat of malicious cyber activity from both criminal and state actors continues to grow, it is more important than ever for technology manufacturers to make safer products in order to help protect customers.

Historically, technology manufacturers have relied on customers to identify vulnerabilities after they’ve deployed their products. The manufacturers then figure out how to fix the vulnerabilities, release patches, and require customers to apply those patches at their own expense and as quickly as possible. This leaves customers vulnerable to security incidents that may impact their economic prosperity, livelihood, and even their health. As just one example, insecure technology in the healthcare infrastructure has led to hospitals and other healthcare organizations having to cancel surgeries, divert patients to other facilities, and leave prescriptions unfulfilled. 

Secure by design shifts this dynamic. Rather than expect customers to continuously apply patches, monitor logs, deploy hardening guides, and buy security products to make the products they’re buying safe, technology manufacturers are expected to create and ship safe products out of the box. This requires them to build security into products from the very beginning, even before the development process kicks off, in order to eliminate classes of vulnerability, or product defects, that may impact the safety of their customers.

By systematically eliminating vulnerabilities before deployment rather than dealing with the consequences of them being present after deployment, technology manufacturers that embrace secure by design can help defend critical infrastructure and improve global security.

Now that we understand its importance, let’s dive into the principles of secure by design below.

Secure by design principles

In a joint guidance initially published in April 2023 and updated in October of the same year, CISA and other authoring agencies define three principles to guide technology manufacturers in transforming their design and development processes to build and deliver more secure products. 

1. Take ownership of customer security outcomes

A core tenet of secure by design is to shift the burden of security away from the “least capable” including customers, small businesses, schools, state and local governments to the most capable — namely, these large technology manufacturers. These manufacturers should take full ownership of the security outcomes of their customer’s purchase and evolve their products accordingly.

2. Embrace radical transparency and accountability

Another core principle of secure by design is that software manufacturers should lead the way with radical transparency and accountability by sharing information they learn from product deployments and vulnerabilities. This may include publishing statistics and trends about their products (like what percent of customers are on the latest version of the product) and detailed vulnerability advisories and associated common vulnerability and exposure (CVE) records. The goal of this information-sharing is to help other manufacturers learn what to do, or what not to do. 

3. Lead from the top

The final principle is getting executive-level commitment to ensure security is treated as a business priority and critical requirement of product design and development. Executives should play a key role in:

• Elevating the responsibility of security beyond the IT department
• Allocating resources to ensure that software security is a core business priority from the beginning 
• Creating internal incentives to make security a design requirement
• Fostering a culture in which security is a business imperative
• Maintaining an open line of communication for feedback internally and externally regarding product security issues

Implementing secure by design principles

Now that we understand the foundational principles of secure by design, let’s walk through some tactical ways you can implement them at your organization. We’ve focused on key takeaways from the more exhaustive list found in CISA’s official publication.  

1. Establish a security-centric culture and accountability system

Secure by design requires a mindset shift within your organization to prioritize security alongside other business goals like speed-to-market and feature expansion. It requires buy-in from stakeholders at all levels, from executives to developers, as well as a system for accountability for customers’ security outcomes.

Below are some ways you can foster a culture of security and accountability:

• Convene routine meetings with company executive leadership to drive the importance of secure by design within the organization.
• Establish policies and procedures to reward production teams that develop products adhering to secure by design and default principles.
• Invest in security training for employees.
• Assign a software security leader or team that upholds business and IT practices to directly link software security standards and manufacturer accountability.
• Have senior leadership hold teams accountable for delivering secure products, with security being clearly characterized as a subcategory of product quality.

2. Incorporate security into requirements before development 

Security requirements should be clearly defined alongside functional requirements at the beginning of the development process. This ensures that security considerations are integral to the design and development of the software from the outset, which will help increase the product’s quality, development team’s efficiency, and customers’ security.

3. Use a tailored threat model during development

Threat modeling is a structured, repeatable process used to gain actionable insights into the security of a system. It enables development teams to understand how adversaries might exploit weaknesses in a system and determine responses and ways to fortify the system accordingly. Threat modeling should be performed early in the software development lifecycle, such as during the design phase, throughout the lifecycle, and reviewed at least annually so that the threat model is maintained and refined alongside the system. 

Using a threat model that’s tailored to a specific product and its use case will enable your team to prioritize the most critical and high-impact security features. 

4. Utilize secure coding practices

Developers play a crucial role in implementing secure by design principles. They should be trained in secure coding practices and vulnerability testing and provided with tools and frameworks that facilitate secure development. 

Some best practice are:

• Using parameterized queries
• Using a memory safe programming language
• Using hardware-backed cryptographic key management 

5. Implement multiple layers of defense

Implementing multiple layers of defense mechanisms, rather than relying on a single layer of security, can help prevent malicious actors from compromising systems or obtaining unauthorized access to sensitive data. This security strategy is known as defense-in-depth and may involve the application of the following countermeasures:

• Firewalls
• Intrusion detection systems
• Encryption
• Regular security updates

6. Set secure and fail-safe defaults

Rather than rely on administrators to have the time, expertise, and awareness to harden application settings to make a product more secure, system components and configurations should be securely configured by default. This means disabling unnecessary services, enabling encryption, and following best practices for authentication and access control, including the principles of least privilege and separation of duties. 

In addition to secure defaults, systems should also have fail-safe mechanisms in place to prevent unauthorized access or data loss in the event of a security breach. This might include implementing role-based access controls, data backup procedures, and disaster recovery plans.

7. Automate security testing

Automated security testing tools can help identify vulnerabilities early in the development process, allowing developers to address them before they escalate into serious security risks. This includes:

• Static analysis tools for code review
• Dynamic analysis tools for testing runtime behavior
• Penetration testing tools for simulating real-world attacks
• Continuous scanning and monitoring to ensure compliance and adherence to baseline configurations

8. Establish a robust vulnerability management program.

A robust vulnerability management program can help your organization prioritize vulnerabilities based on risk and exposure, prevent the introduction of known vulnerabilities, maintain compliance with security standards and regulations, minimize the overall attack surface, and understand and improve your security posture.

Your vulnerability management program should not only be focused on patching vulnerabilities discovered internally or externally. Instead, it should be focused on analyzing vulnerabilities and their root causes and then taking the necessary steps to eliminate entire classes of vulnerabilities to improve the security of their product and the software industry as a whole.

9. Implement continuous monitoring and alerts

Security is an ongoing process that requires continuous monitoring and improvement. Organizations should implement processes for monitoring their IT infrastructure, systems, and applications to detect potential security threats and vulnerabilities in real-time. A combination of manual and automated processes is recommended, since automation can help make continuous monitoring more cost-effective, consistent, and efficient.

10. Publish a vulnerability disclosure policy

Adversaries will continue to exploit technology vulnerabilities and products that are

secure by design will continue to suffer vulnerabilities. However, tech manufacturers can help identify and document the root causes that result in a relatively large set of vulnerabilities so they can be remediated. One key way they can do this is by publishing a vulnerability disclosure policy. This should 

• authorize testing against all products offered by the manufacturer and conditions for those tests
• provides legal safe harbor for actions performed consistent with the policy
• allow public disclosure of vulnerabilities after a set timeline
• Be integrated into their vulnerability management process so they’re actually eliminating the root cause of identified vulnerabilities

Challenges and considerations when implementing secure by design principles

While secure by design offers numerous benefits in terms of reducing security risks and minimizing the impact of security incidents, it also presents certain challenges and considerations that organizations must address

1. Balancing security with usability

There is often a trade-off between security and other business requirements, especially usability. Implementing certain security measures like MFA or automated updates may inconvenience users or impede their workflows. Finding the right balance between security and usability is crucial to ensure that software is safe and functional.

2. Increased development costs

CISA and its partners acknowledge that implementing secure by design principles may increase development costs. This pain point will be particularly acute for smaller organizations. However, they believe investing in secure by design practices for developing new technology products and maintaining existing ones will be worth the upfront costs since it can:

• Substantially improve the security posture of customers and reduce the likelihood of compromise
• Strengthen brand reputation for developers
• Lower maintenance and patching costs for manufacturers in the long term

3. Resource constraints

Beyond budget, implementing secure by design principles requires dedicated resources, including time, expertise, and leadership support. Startups and small to medium-sized businesses with limited resources may struggle to prioritize security alongside other competing priorities. 

However, secure by design will become table stakes as customers come to expect safe products from their tech providers. Additionally, ensuring security by design when building your infrastructure will save time and resources down the line once your product is live and you have to focus on more pressing business needs. All providers should start implementing these principles, even if they can’t match the speed and scale of larger providers. 

4. Keeping pace with evolving threats

Cyber threats are constantly evolving, making it challenging for organizations to keep pace with emerging risks. Implementing secure by design principles requires a proactive approach. Organizations must stay abreast of the latest security trends and technologies and regularly update their security measures to adapt to evolving threats. Automation can help organizations address this challenge. 

5. Legacy systems and technical debt

Organizations with legacy systems may face challenges in implementing secure by design principles due to technical debt, outdated technologies, and compatibility issues. In such cases, organizations may need to prioritize modernization efforts or implement compensating controls  and additional layers of security to mitigate risks.

How Secureframe can help

Secure by design represents a paradigm shift in software development, emphasizing the importance of integrating security principles and practices into every stage of the development lifecycle. By adopting a proactive approach to security, organizations can reduce the risk of security breaches, safeguard sensitive data, and protect their reputation and bottom line. 

Secureframe can help simplify the implementation of secure by design practices. With our automation platform and in-house team of compliance and security experts, you can:

• Help determine secure by design principles upon integration with your tech stack to determine security and compliance gaps
• Automatically monitor your networks, devices, and applications to assess configuration posture and collect raw JSON evidence, showcasing adherence to both compliance standards and corporate security controls.
• Get alerts about detected misconfigurations via Slack, Jira, email, or directly in the platform.
• Quickly address infrastructure misconfigurations using step-by-step remediation guidance, or utilize Comply AI to promptly remediate cloud misconfigurations with infrastructure as code.
• Develop tailored controls that align with your specific IT requirements and systematically monitor these controls to ensure alignment with your business goals.
• Monitor employee devices to verify compliance with requirements and oversee their access to vendors within your ecosystem, ensuring least privilege access.
• Integrate your cloud platform and developer tools to see all of your vulnerabilities from services like AWS inspector and Github in one place. 
• Complete a risk questionnaire annually and establish your risk register where you can continuously manage IT risks throughout the year. 
• Get guidance and answers to any questions you may have from compliance managers.
• Get access to a partner network of trusted auditors and pen testing firms.

Learn more about how Secureframe can help you build and maintain secure and compliant products by scheduling a personalized demo today.