What Do Secure-by-Design and Secure-by-Default Mean?
CISA, the Federal Bureau of Investigation, the National Security Agency, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand jointly developed and released guidance for technology manufacturers to establish Secure-by-Design and Secure-by-Default principles to ensure higher levels of cybersecurity for organizations.
Secure-by-Design refers to designing a system or product with security in mind from the beginning. This means considering potential security threats and vulnerabilities during the design phase and implementing security controls and best practices as part of the overall design. The goal of Secure-by-Design is to create systems and products that are inherently secure rather than relying on additional security measures to be added later on.
On the other hand, Secure-by-Default refers to configuring systems and products with secure settings by default. This means that the system or product is designed with security as a primary consideration, and users are not required to take additional steps to ensure security. Secure-by-Default helps to ensure that users are protected from common security threats without having to configure complex security settings themselves.
Both Secure-by-Design and Secure-by-Default are essential concepts in the world of cybersecurity. These principles help developers create products and systems that are more secure, resilient, and able to withstand cyber threats for a more sustainable security ecosystem.
Secure-by-Design principles allow developers to build products and systems that are more secure, resilient, and able to withstand various cyber threats. This protects the organization and its customers, instills confidence in the marketplace, fosters trust, and enhances brand reputation. Secure-by-Design and Secure-by-Default are not just about creating secure products or systems but about creating a culture of security that permeates the entire organization.
Three Core Principles of Secure-by-Design
1. The burden of security lies on the manufacturer, not the customer
2. Adopt radical transparency and embrace accountability
3. Create an organizational structure to support Secure-by-Design practices
Secure-by-Design and Secure-by-Default Best Practices
Secure-by-Design Best Practices
- Prioritize the use of memory-safe languages
- Incorporate architectural features that enable granular memory protection
- Maintain well-secured software components
- Use web template frameworks that implement automatic escaping of user input
- Use parameterized queries
- Perform static and dynamic application security testing
- Ensure that code submitted into products goes through peer review by other developers
- Create a software bill of materials to ensure visibility
- Design infrastructure so the entire system isn’t compromised when a security control is breached
- Design products that meet CISA cybersecurity performance goals
Secure-by-Default Best Practices
- Get rid of default passwords for all products
- Use single sign-on technology
- Provide high-quality audit logs to customers for free
- Integrate components of the “hardening guide” as the default configuration
- Offer recommendations for authorized profile roles and their designated use cases
- Prioritize security over backward compatibility
- Integrate secure settings that cannot be changed
How to Implement Secure-by-Design Practices
Manufacturers and software development organizations should work to implement Secure-by-Design practices to ensure an optimal cybersecurity posture for their company and their customers.
Here are three ways tech companies can start to implement Secure-by-Design practices.