The Cybersecurity and Infrastructure Security Agency (CISA) recently launched the Secure by Design initiative in April 2023, aiming to raise the bar for security standards in the industry. This initiative emphasizes the importance of vendors creating secure software from the outset, thus relieving end-users of the burden of ensuring product security.
CISA’s Secure by Design initiative is built on three key software security principles: taking ownership of customer security outcomes, embracing radical transparency and accountability, and establishing organizational structures and leadership to achieve these goals. As the initiative moves into its second year, vendors can expect more guidance from CISA and other government agencies on how software is designed, developed, and delivered.
One hundred signatories have already committed to meeting the goals of the Secure by Design pledge, which includes increasing the use of multi-factor authentication, reducing default passwords, and addressing vulnerabilities within a year. These organizations are encouraged to publicly document their progress as part of the initiative’s focus on radical transparency.
In April 2024, CISA and the Office of Management and Budget (OMB) released the Secure Software Development Attestation Form, a crucial tool in ensuring that federal contractors deliver secure products to the government. This form is seen as a key step in advancing the principles of Secure by Design and enhancing software supply chain security by providing greater visibility and oversight into government agencies’ software development practices.
In a bid to further incentivize secure software development, the White House is engaging with software makers to create frameworks that legally encourage the development of software without exploitable flaws. This effort, known as Secure by Demand, is a significant component of the Biden administration’s National Cyber Strategy. Discussions around software liability, particularly in open-source software, are ongoing, with a focus on finding alternatives that benefit both software vendors and the open-source community.
Moving towards a Secure by Design framework involves adopting DevSecOps practices, maintaining software bills of materials (SBOMs), and ensuring the security of AI incorporated into the development process. DevSecOps practices enable the integration of security throughout the software development process, allowing for rapid identification and remediation of vulnerabilities. SBOMs provide visibility into software packages’ origins, vulnerabilities, and risks, while AI tools can help generate secure code and identify and resolve vulnerabilities.
In conclusion, Secure by Design represents a fundamental shift towards prioritizing security and transparency in software development. As the government continues to evolve its guidance on cybersecurity, all stakeholders, including vendors and agencies, must stay informed and adapt to a more secure and transparent future. Through initiatives like Secure by Design, the industry can collectively work towards a safer digital ecosystem for all users.
Joel Krooswyk, Federal CTO at GitLab Inc., is a leading voice in software development and DevSecOps practices within the public sector. With years of experience in the software industry, including development, product management, and technical sales, Joel is dedicated to promoting secure and transparent practices in software development.