Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

CISA Debuts ‘Secure by Design’ Alert Series

New CISA alerts shed light on the harm occurring when software vendors fail to implement secure by design principles.

The US cybersecurity agency CISA on Wednesday introduced a new type of alerts aimed at underlining the harm caused by not implementing security in the software development lifecycle.

The new Secure by Design (SbD) alerts are meant to provide information on “how vendor decisions can reduce harm at a global scale”, instead of detailing what could have been done to prevent or respond to threats.

The first installment (PDF) in CISA’s alerts series brings to light malicious activity targeting web management interfaces and how implementing security best practices and eliminating specific classes of vulnerabilities can better shield customers from these threats.

“This guidance was created to urge software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using secure-by-design principles,” CISA notes.

According to the agency, vendors can improve customer protections in web management interfaces by implementing two principles: taking ownership of customer security outcomes and embracing radical transparency and accountability.

The first principle covers application hardening, features, and default settings. “When designing these areas, software manufacturers should examine the default settings of their products,” CISA notes.

Products should enforce security best practices instead of relying on the customer to do so, such as disabling the web interface by default, preventing product operations when in a vulnerable state (such as exposed to the internet), and warning of the risks associated with changing the default configurations.

“Software manufacturers should conduct field tests to understand how their customers deploy products in their unique environments and whether customers are deploying products in unsafe ways. This practice will help bridge the gap between developer expectations and actual customer usage of the product,” CISA notes.

Advertisement. Scroll to continue reading.

Per the second principle, vendors should fully embrace transparency when disclosing vulnerabilities, tracking the root cause of each security defect, and ensuring that complete details are provided with each CVE.

“Not only does this help customers understand and assess risk, but it also enables other software manufacturers to learn from mistakes fixed across the industry,” the agency says.

Additionally, CISA recommends that vendors identify and eliminate repeat classes of flaws in their products.

“To shield their customers from malicious cyber activity targeting web management interfaces, software manufacturers should adopt the principles set forth in Shifting the Balance of Cybersecurity Risk and publish their own secure-by-design roadmap that demonstrates that they are not simply implementing tactical controls but are rethinking their role in keeping customers secure,” CISA concludes.

Related: Federal Push for Secure-by-Design: What It Means for Developers

Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles

Related: White House Releases National Cybersecurity Strategy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.