In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) unveiled the Secure by Design initiative, setting a new standard for security across the industry. The initiative urges vendors to create secure software before it goes to market, relieving end-users of the responsibility for product security.
CISA’s Secure by Design initiative reflects the federal government’s commitment to strengthening cybersecurity with three software security principles:
- Take ownership of customer security outcomes.
- Embrace radical transparency and accountability.
- Build organizational structure and leadership to achieve these goals.
Now that it is entering its second year, vendors should expect more guidance from CISA and other agencies about how software is designed, developed, and delivered – and stay up-to-date on what’s coming next, including the potential shift from product security being a voluntary commitment to a requirement.
Continuous Guidance and Requirements
Over 100 signatories have committed to making a good-faith effort to meet CISA’s Secure by Design pledge goals, including increasing multi-factor authentication use, reducing default passwords, and reducing entire classes of vulnerabilities within one year. In the spirit of radical transparency, these organizations are encouraged to document their progress publicly.
In April 2024, CISA and the Office of Management and Budget (OMB) released a Secure Software Development Attestation Form, which CISA Senior Technical Advisor Jack Cable positions as another “key step” in ensuring federal contractors deliver secure products to the government.
These efforts aim to advance Secure by Design principles and enhance software supply chain security by providing more visibility and oversight into government agencies’ software development and security practices.
Incentivizing secure software development
The White House is in talks with software makers to create frameworks that legally incentivize software development without exploitable flaws. This effort, coined Secure by Demand, is a significant component of the Biden administration’s National Cyber Strategy.
Software liability is a complicated issue, especially in open-source software, which takes a community-based, collaborative approach to development. The focus on liability is a penalty-based approach for software vendors and the open-source community without consideration for its broader implications.
Some alternatives under discussion include requiring manufacturers to use open-source components to keep their tools updated to the latest versions or establishing shared liability between open-source maintainers and the companies that incorporate the tools into their products.
Regardless of future requirements, continued education on Secure by Design and Secure by Demand approaches is necessary to improve secure software development.
Developing Secure by Design software
A Secure by Design approach is the best way to avoid introducing vulnerabilities to an agency’s software. All support agencies can move toward a Secure by Design framework by adopting DevSecOps practices, maintaining a software bill of materials (SBOM), and ensuring that AI incorporated into the software development process is secure.
Embedding security into software development from the start is best achieved through DevSecOps practices. Integrating security throughout every stage of the software development process allows fully automated security scanning to identify vulnerabilities rapidly, suggests remediation for vulnerabilities, and provides on-demand remediation training for developers.
Next, SBOMs can provide buyers and operators with additional visibility into a software package’s origins, vulnerabilities, and risks. SBOMs are detailed inventories of software components, including versions, vulnerabilities, and licenses, that enable greater awareness of potential vulnerabilities and risks. While many agencies are now using SBOMs, they must be dynamic and continuously updated.
Finally, AI is one of the newest tools for helping ensure software is Secure by Design. AI can generate new code using natural language processing, identify the function of uncommented code, refactor legacy code bases into memory-safe languages, and understand and resolve vulnerabilities. However, before adopting any AI tools, agencies must ensure that their vendors have a published ethics statement, provide clarity around data learning and retention, and offer complete model transparency.
Secure by Design is a mindset shift toward radical transparency and truly embracing security as a priority. Those who work with the federal government understand that cybersecurity is essential to protect our nation’s critical services. We can all learn from the Secure by Design initiative and embrace a more secure and transparent future for software development, especially as the government’s guidance continues to evolve.
About the Author
Joel Krooswyk is the Federal CTO at GitLab Inc. He is a thought leader in software development, DevSecOps and other key IT practices within the public sector. In his current role, Joel ensures that GitLab has a voice in developing key DevSecOps practices coming from standards bodies, Congressional committees, industry working groups, and other influential organizations. He has 25 years of experience in the software industry spanning development, QA, product management, portfolio planning, and technical sales.
LinkedIn: https://www.linkedin.com/in/joelrkrooswyk/
GitLab Public Sector: https://about.gitlab.com/solutions/public-sector/
