U.S. and international government agencies are urging software manufacturers to “revamp” the design of certain software to take the burden of cybersecurity flaws out off of the customer.
Historically, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA and a host of international law enforcement agencies say that “technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense,” according to an alert from the agencies released on Thursday.
The alert is aimed at tech providers, and customers according to CISA Executive Director Eric Goldstein.
Goldstein said he hopes tech providers will use the product to "actually change their internal cultures," and invest in the changes they are hoping to outline. He is also hoping that customers use the guidance as well so that they know what to ask for when dealing with software companies, but he acknowledged the document is just the beginning
"We see this document as an opening to an international conversation," he explained.
The agencies are urging software manufacturers to “revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers,” and the agencies are calling it “Secure by Design” and “Secure by Default.”
“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature,” the alert says. “Secure-by-Design products start with that goal before development starts. Secure-by-Default products are those that are secure to use “out of the box” with little to no configuration changes necessary and security features available without additional cost.”
The government agencies say there are three software principals manufactures should abide by when designing products.
“Now more than ever, it is crucial for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes,” the alert says. “Some vendors have made great strides driving the industry forward in software assurance, while others lag behind.”
The burden should not fall solely on the customer to protect their systems when they purchase software, share information with other companies when relevant to help secure customers systems, and build a structure of leadership to employ the Secure by Design” and “Secure by Default” principals.
Goldstein said the hope is that the solutions outlined are not just done by the technical advisors but by senior leaders at the top of software companies, and he said they are looking "forward to opening the apiture of collaboration," so that way all the voices in the software industry are heard.