Why Vendors May Struggle to Maintain “Secure by Design” Momentum

Scores of technology vendors have signed up to a US government-backed Secure by Design pledge. But will the commitment mark a break with the past and the seemingly never-ending cycle of cyber-attacks? Independent experts, while praising the initiative as worthy, remain unsure about its likely impact.

What’s it About?

The US Cybersecurity and Infrastructure Security Agency (CISA) is trying to get software vendors to sign up to the pledge as part of a wider strategy to improve national cybersecurity resilience. It is voluntary and not legally binding, but aims to drive software vendors to make security a foundational part of their product development lifecycle.

The goals of the pledge fall into seven categories:

⦁ Increase the use of multi-factor authentication across products

⦁ Reduce the prevalence of default passwords across products

⦁ Demonstrate a significant measurable reduction in the prevalence of one or more vulnerability classes across products

⦁ Increase the installation of security patches by customers

⦁ Publish a vulnerability disclosure policy that authorises public testing

⦁ Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) data in vulnerability reports. Issue Common Vulnerabilities and Exposures (CVE) records for products in a timely manner

⦁ Increase the ability for customers to gather evidence of cybersecurity intrusions affecting a manufacturer’s technologies

Software developers, cloud services, and SaaS technologies are all within scope of the pledge, but physical products such as IoT devices and consumer goods are not. A group of 68 leading technology firms – including Amazon Web Services, Cisco, Google and Microsoft – signed up to the pledge when it was launched in early May, and this figure has since increased to more than 140 vendors.

CISA hopes public commitments from a growing list of companies will encourage transparency and enable customers to evaluate vendors’ progress on security goals. Manufacturers are asked to document their progress in achieving their goals within a year of signing the pledge, partly so that the wider industry can learn from their security journey.

Backing Up the Pledge

Vendors already routinely promise to improve their security in the wake of cyber-attacks or breaches, so it’s legitimate to ask how much impact a voluntary pledge is likely to have.

“The pledge itself, while vital to raising awareness and setting the necessary benchmark for security practices, does not enforce or incentivise vendors beyond ethical responsibility to fully integrate these principles into their development processes,” Keeper Security VP of security and compliance, Patrick Tiquet, tells ISMS.online.

“However, if software customers insist that developers make this pledge, and confirm that they’re following through on it, the pledge will become less voluntary and morph into a basic expectation.”

Taimur Ijlal, a tech expert and information security leader at Netify, also strikes a note of caution.

“Leading companies like Microsoft and Google must set an example and encourage others to follow if they want the promise to bring about significant change,” he tells ISMS.online. “Without market forces or legal demands, however, a lot of software providers could still be reluctant to participate, even with their backing.”

Much is dependent on the ethical standard of signatories, according to Ijlal, who adds that even a wholehearted commitment to improvements is no guarantee for success.

“Vulnerabilities still slip through even in software produced by reputable vendors,” he argues. “While the pledge encourages progress, it lacks enforcement mechanisms to ensure companies fully deliver on their commitments.”

Maria Opre, a cybersecurity expert and senior analyst at EarthWeb, argues that vendors can reap economic benefits from improving the security of their products.

“For enterprises, security breaches can have devastating impacts – regulatory fines, reputation damage, costly downtime, just to name a few,” she tells ISMS.online. “Following secure coding practices from the start reduces technical debt and expensive after-the-fact patching. It’s a wise investment.”

Cat and Mouse

There’s also a danger that any progress achieved through the pledge could be undermined by changes in the tactics of threat actors.

John Allison, director of public sector business at Checkmarx, says that an evolution in threats is to be expected, so the goal should be to continuously improve security and levy costs on attackers.

“Adversaries are always evolving, but the objective here is to force them to adapt, and to invest the time and effort to find gaps in a fundamentally sound security architecture,” he tells ISMS.online. “I’d expect the secure-by-design goals to evolve over time as the threats evolve as well.”

Netify’s Ijlal argues that Secure by Design must become an “ongoing practice” rather than a one-off tick box approach.

“Developers must constantly assess new risks and evolve their practices accordingly. Static security will always be bypassed eventually,” he adds. “It’s good to teach developers how to design secure code, do risk assessments, and employ threat modelling. As we streamline procedures, we also need to invest in people.”

Shift Left

The promotion of DevSecOps practices, which encourage software developers to “shift left” by engaging in secure coding practices from the outset, aligns with the goals of the CISA’s Secure by Design pledge.

It allows developers to mitigate risks before they become exploitable vulnerabilities. However, achieving this requires more than just pledges; it demands a comprehensive integration of security best practices throughout the software development lifecycle.

“Building a well-thought out and effective security architecture requires a very different skillset than most software developers have,” according to Checkmarx’s Allison. “In the rush to get new products to market, security is often either ignored completely or done minimally, just sufficient to pass a certification.”

Standards Drive

Certifications can help promote secure by design by raising the bar as to what controls must be put in place and how the auditors must assess the company for the certification. And experts claim that security standards such as ISO 27001 might also help in promoting a security-by-design culture. ISO 27001, for example, provides a framework for managing information security that helps organisations systematically address security risks.

“Standards like ISO 27001 play a crucial role in promoting a security-by-design culture. By adhering to such standards, companies can ensure that security is not an afterthought but a fundamental component of their operations,” concludes Keeper Security’s Tiquet.

“This standardisation can drive the adoption of secure development practices and foster a more resilient software environment.”