Recently CISA, FBI, NSA and several international governmental agencies collaborated to publish ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default’. This publication first covers the concept that many technology manufacturers (e.g. software providers) suffer from ‘Vulnerable by Design’ and encourages these manufacturers to adopt Secure-by-Design approach, thus enabling Secure-by-Default. Without going down the rabbit hole and debating that technology manufacturers’ first goal is to ensure their product or service works and without a working product or service they are unable to serve their clientele, it is important to understand these concepts are not new, just more clearly communicated. The overall goal of the publication is to ‘progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default’.

Concept of Secure-by-Design

Though this is not new, many organizations struggle with its meaning and defining an approach that doesn’t impact speed to market. Summarizing the concept of what is “Secure-by-Design”: develop a technology solution that adequately prevents cyber attackers from being able to exploit or compromise it. Although this is obviously easier said than done, the publication does provide guidance for how technology manufacturers may achieve this goal.

  1. Conduct a risk assessment capturing relevant cyber threats to systems, services, and code
  2. Develop protective controls, include them in the system or service architecture documents with consideration of the changing threat landscape
  3. Deploy a defense in depth strategy incorporating a tailored threat model for the product or service being developed

Simply put, this is a holistic approach to cybersecurity that all organizations should be taking.   One thing I’m sure we’re all acutely aware of is that nothing is or likely ever will be 100% secure.  Although, what we may not be fully aware of is that the large number of both identified and unidentified vulnerabilities we see are typically the result of a much smaller number of causes.  An overly-simple example is the number of CVEs we see resulting from unpatched software; though large in number, the main cause is an ineffective Configuration Management Program.

Concept of Secure-by-Default

Again, this is not a new concept and yet still a challenge to adopt. Generally speaking, Secure-by-Default means that all unnecessary or insecure services and features are ‘off’ at installation or implementation, allowing the consumer to activate additional services or features with notification that these modifications increase risk of potential exposure or compromise.  The challenge here is that organizations are unique, with equally unique IT ecosystems, that may require activation of these potentially vulnerable services or features. 

The first takeaway from this concept and guidance is that the manufacturers of the software or service provide or deploy their solution with the most critical controls implemented without the need for the consumer to configure. Additionally, this is done without additional ‘feature’ or ‘service’ cost.

The second takeaway is straightforward:  complex security configurations should be the responsibility of the manufacturer. Taken at face value, this is good as it transfers responsibility from the consumer to the provider. The result for the consumer is tangible, a lower total cost of ownership.

General Insight

This publication provides fairly straightforward guidance for consumers: buy services/software that are ‘Secure-by-Design’ and ‘Secure-by-Default’.  Easy to say, hard to do. Specifically, how does an organization verify or validate their vendor is adhering to these concepts/principles? In some regards, it’s simple. For example, FedRAMP provides a standardized framework that CSPs must adhere to in order to be accredited with FedRAMP status and this status is continually monitored for defects that could result in vulnerabilities that could impact an agency’s mission of protecting its systems and data. 

Another way to verify is leveraging Third Party Risk Management or Supply Chain Risk Management practices that review the security practices and operations of vendors and suppliers. All this said, it seems apparent that this publication is looking to push, or transfer, much of the cyber risk from the consumer to the manufacturer. Frankly, this is a good thing. Further, and credit to the authoring agencies, this publication provides guidance for manufacturers to move towards a ‘Secure-by-Design’ and ‘Secure-by-Default’ posture for product delivery. It also pays attention to the operational impacts to manufacturers in adopting and adhering to these principles. Again, another good thing.

Overall, this publication is a good step towards improving security for public and private sector partnerships by more clearly outlining steps that each side can take to improve security of critical systems and infrastructure. Also, since the authoring agencies are international and private, it demonstrates the need and want to expand the public-private partnership in the battle with cyber criminals looking to exploit weaknesses that put critical systems and infrastructure in harm’s way.

About Orca Security

We believe in ‘Secure-by-Design’ and ‘Secure-by-Default’ and practice this in both our commercial and public service offerings. Our SaaS cloud security platform provides organizations (public and private) full visibility into their cloud ecosystems, highlighting the service, system and feature vulnerabilities that present risk to the organization. These highlights include insights into software packages with vulnerabilities, services that are overly permissive, and the vectors that attackers could use to exploit or compromise a system.
Ready to learn more about the Orca Cloud Security Platform? Schedule a demo or signup for a free risk assessment to start taking control of your cloud security.