Cyberattacks prompt new CISA efforts
Escalating and more significant cyberattacks have prompted new guidance from the U.S. government regarding software development and the software supply chain.
First, several government agencies including the National Security Agency recently published Securing the Software Chain, a best practices guide aimed at software developers. CISA is also urging technology companies to shift their design process to make security a top priority.
In recent remarks, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, noted, “we need a new model where consumer safety is front and center in all phases of the technology product lifecycle—with security designed in from the beginning—and strong safety features enabled right out of the box, without added costs. … Achieving this outcome will require a significant shift in how technology is produced, including the code used to develop software, but ultimately, such a transition to secure-by-default and secure-by-design products will help both organizations and technology providers … “
Producing this “significant shift” will take a combination of technical expertise, human intervention, collaboration, and innovation. Every strategy will require a comprehensive approach and commitment to be effective.
Cost of Cyberthreats Grow More Significant
Governments globally are reinforcing their stance on cybersecurity in the wake of persistent cyberattacks that grow more aggressive and costly. Organizations must take steps to protect both systems and data, particularly in light of recent data breaches.
Attackers are exploiting growing risks and vulnerabilities largely due to digitalization. According to the World Economic Forum Global Risks Report 2022 from the World Economic Forum, in the wake of recent and rapid digitalization, cybersecurity threats have escalated dramatically and “are outpacing societies’ ability to effectively prevent or respond to them.”
“Lower barriers to entry for cyberthreat actors, more aggressive attack methods, a dearth of cybersecurity professionals and patchwork governance mechanisms are all aggravating the risk,” the report warned.
Many cyberattacks carry substantial consequences that extend past economic costs. For instance, malicious actors recently were charged with using social media and popular video conferencing software tools for harassment of Chinese dissidents in the U.S. Other organized criminal groups continue to target government agencies, infrastructure, utilities, and power grids.
Shift to secure-by-design principles
A shift that enables secure-by-design principles is considered a recommended priority for cybersecurity strategy going forward. According to a report by McKinsey & Company, “Security and technology risk teams should engage with developers throughout each stage of development. Security teams should also adopt more systematic approaches to problems, including agile and kanban.”
A secure-by-design approach can be thought of as shifting “all the way left,” meaning moving security to the earliest possible stage. The “shift left” concept is based on the practice of moving application testing and QA to an earlier stage in the software development process. Shift left is reinforced in the DevOps process, which incorporates the agile methodology and continuous integration/continuous delivery (CI/CD). DevOps should incorporate automated testing throughout development.
However, concerns that testing may be overlooked can arise when organizations are focused on rapid product delivery and deployment. When testing is skipped or rushed and products with bugs get deployed, it ends up costing more. In addition, security is not always involved in the entire DevOps process, which can lead to security silos in development.
But when following secure-by-design and secure-by-default principles, security is a priority beginning with the product design process, even before development begins. This shift completely left is the foundation for products with security built-in.
What will it take to progress to a secure-by-design approach?
CISA, global agencies, and industry stakeholders are starting to propose solutions for technology companies and developers to implement.
Some key components of secure design can lean on some best practices for securing the software supply chain, or within the Secure Software Development Framework. These practices include securing supply chain artifacts, and reducing vulnerabilities when producing software.
Possibly the most critical step to implementing secure-by-design principles is instilling security in the organization from the top down. But making security the priority from the beginning needs buy-in from management and a cultural change throughout the organization. This type of shift also requires C-suite level acknowledgment and awareness that a security flaw can have more dramatic effects on revenue and the bottom line than a delay in product development. A security-related system failure or security breach carries additional costs including eroding customer trust that can be difficult to regain.
Security and development teams need to collaborate and support each other from the start, and this practice needs to be instilled by CISO and other leaders. Security must be part of the process from early conceptual design stages through detailed designs and then development. To make this effective, all team members – designers, engineers, project architects, developers, as well as security teams – must be involved.
Cordoniq’s secure collaboration platform – the Cordoniq difference
Cordoniq’s API-driven platform was designed with security built-in and not bolted on. Cordoniq’s security features include the most advanced current encryption and technology for privacy including:
- Up to and beyond U.S. military-grade security
- Web privacy regulation compliant
- True end-to-end encryption with the latest TLS standards, up to and including TLS 1.3
- Ability to choose own cipher strength and PKI key depth rules
- Ability to leverage and support OAuth/2 flows