Feds Issue Secure by Design Guidance for Software Purchasers
Cybercriminals and nation-state threat actors are targeting software vendors. A successful attack on a vendor could see the threat actor gain access to all their clients’ networks, providing a massive return for the same amount of effort as attacking a single customer. While some software vendors have taken great strides towards making their infrastructure and software secure, with others, much of the burden of cybersecurity falls on their customers.
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their international partners published secure by design guidance for software manufacturers which explains the principles and approaches for secure by design software to help manufacturers incorporate cybersecurity during the design phase, ensuring out-of-the-box protections for software users that last for the entire product lifecycle.
This week CISA and the FBI published a companion secure by design guide for software customers to help them understand a software manufacturer’s approach to security and ask the right questions about security before procurement, integrate security requirements into contract language, and assess software manufacturers’ product security and security outcomes after procurement.
As the authoring agencies explained in the guidance, software customers are often focused on the enterprise security measures of a software manufacturer when conducting due diligence and ensuring those companies are adhering to compliance standards. While enterprise security is a good measure of a company’s attitude toward cybersecurity, it is only concerned with ensuring the manufacturer’s infrastructure is protected against cyberattacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Software customers also need to assess a manufacturer’s approach to product security – The measures that have been implemented to protect their software from attack throughout the entire product lifecycle. The guidance walks software buyers through the questions that should be asked of software manufacturers, such as if the manufacturer has taken CISA’s Secure by Design Pledge, what steps have been taken to make it easy for customers to install security updates, whether the product supports secure authentication such as multi-factor authentication, if default passwords have been eliminated, and whether entire classes of software defects have been addressed across their products.
Software buyers should look for manufacturers that make security logs available to customers in the baseline version of their products, and also provide a Software Bill of Materials that includes all third-party dependencies and open source software components, and whether the manufacturer can demonstrate transparency and timeliness in vulnerability reporting.
CISA and the FBI stress that software manufacturers strive to deliver the features that customers request, so it is vital that customers explicitly demand security as part of the procurement process, as that will help to drive the necessary change toward making products secure by design.
