Guidance Pushes for Secure by Design Software

Software vendors are being targeted by cybercriminals and nation-state threat actors. In a successful attack on a vendor, the attacker could get access to all of the vendor’s clients’ networks, offering a substantial payoff for the same amount of work as attacking one vendor. Although many software vendors have made progress in securing their infrastructure and applications, others leave the cybersecurity responsibility to their clients.

In April 2023, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and their international partners published guidance on secure by design that software program companies need to implement. This guidance describes solutions to integrating cybersecurity starting from the design stage, so that software program users can benefit from pre-installed protections throughout the lifetime of a product. There is also a companion guide on secure by design for software customers. The guide helps customers understand a software company’s security solution, ask the right security-related questions prior to procurement, include security specifications in contract language, and evaluate the security of products and results after purchase.

According to the authoring agencies, software customers usually give attention to a company’s enterprise security options during research, making certain that it is compliant with standards. If the customer is a HIPAA-covered entity, it is important that the software is HIPAA-compliant, and information must be stored securely. Although enterprise security reflects a company’s commitment to cybersecurity, it primarily addresses the protection of the company’s infrastructure against cyberattacks.

Software customers should also evaluate a company’s strategy for product security—the protections in place to defend their software from attacks throughout the lifetime of a product. The guidance provides software buyers with questions to ask manufacturers, such as whether they have adopted CISA’s Secure by Design Pledge, whether the product uses secure authentication like multi-factor authentication, what measures were taken to simplify the installation of security updates, if default passwords were deleted, and if complete classes of software flaws were addressed in all their products.

Software buyers should choose companies that provide security logs in the standard version of their goods and offer a Software Bill of Materials that lists all open-source parts and third-party dependencies. It’s also important to assess whether the company is transparent and prompt in reporting vulnerabilities.

CISA and the FBI emphasize that software companies often prioritize delivering customers’ desired features. Therefore, customers should request security to be included in the procurement process to push the needed shift toward secure-by-design products.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown