Unpacking the Latest Secure by Design Guidance

Unpacking the Latest Secure by Design Guidance (2023)

Application exploits are now responsible for more than 50% of breaches, making it crucial for software manufacturers to prioritize secure by design and secure by default in product development processes. Governments urge vendors to reduce the burden of cybersecurity on customers, facilitating automation of configuration, monitoring, and routine updates.

The Secure by Design Guidance is a roadmap with recommendations for software manufacturers to ensure the security of their products. It is very likely that this guidance will transform to regulations. Starting now, gives you a headstart on the competition and saves your organization from a painful, forced transition, down the road.

The latest update from CISA (Cybersecurity and Infrastructure Security Agency) and its 17 U.S. and international partners has brought a new level of urgency to this topic. This joint effort has culminated in a comprehensive guide that not only sets the stage for secure software but also seeks to revolutionize the very principles and approaches behind it.

Initially unveiled in April 2023, the release of this groundbreaking guidance was nothing short of a clarion call to software manufacturers worldwide. The message is clear and resounding: it’s time to shift the balance of cybersecurity risk in favor of robust, secure-by-design products. No longer can we afford the band-aid approach of patching vulnerabilities after the fact; it’s high time we reenvision the entire software development process.

It transcends nations and borders, extending its reach to countries like the Czech Republic, Israel, Singapore, Korea, Norway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC). What was once a U.S.-centric endeavor has evolved into a global roadmap for technology manufacturers to ensure the security of their products.

CISA and its 17 U.S. and international partners

Three Key Principles for Success

This updated guidance builds on feedback from a broad spectrum of stakeholders, including individuals, companies, and non-profits. At its core, it revolves around three pivotal principles:

Take Ownership of Customer Security Outcomes

Place a strong emphasis on ensuring customer security outcomes and consistently evolve products to safeguard their interests. The responsibility for security should be shared, alleviating any undue burden on the customer.

Embrace Radical Transparency and Accountability

Distinguish your organization by committing to delivering secure products and openly sharing insights gained from customer deployments. It may include the adoption of robust default authentication measures.

Maintain a steadfast commitment to providing thorough and accurate vulnerability advisories and keeping common vulnerability and exposure (CVE) records up to date. A high number of CVEs should be viewed as a sign of a vigorous code analysis and testing community rather than a negative metric.

Lead From the Top

Build organizational structure and leadership to achieve these goals. While technical expertise is pivotal in product security, senior executives are the primary decision-makers for driving organizational change. Executives must prioritize security as a fundamental element of product development, collaborating closely with customers to achieve these objectives.

At MergeBase we embrace this by not assigning security responsibilities only to a security team, but rather by implementing the shift-left philosophy of having development take direct responsibility for application security. By providing tools that help our teams with meaningful guidance, rather than extending their to-do lists, we make security focus an efficient part of everyday activities.

Secure by Design: Leading the Way in Cyber Security

In an era where the digital landscape is ever-evolving and cyber threats are a constant menace, the Secure by Design approach is not just a catchy phrase. It’s a paradigm shift, a call to arms for the software industry.

The update from CISA and its international partners is a testament to the collective commitment to make secure software the norm, not the exception.

MergeBase amplifies this commitment by generating SBOMs, offering real-time vulnerability insights and hastening the remediation cycle, fortifying the defense against malicious actors. The time to act is now; elevate your security stance and mitigate breach risks proactively.

Embark on a secure digital journey!

Kelly West

About the Author

Kelly West

Seasoned product leader boasting more than two decades of experience in the realm of digital and technology-driven products.