Vulnerable by Design and by Default

Just posting the seal here since it looks so cool and flashy

CISA recently published an update of their 2023 Security by Design document: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software . The previous one dated from 2023 and this one sounds so pragmatic that it reminded of when i first learnt about ITIL which was also based on best practices. It’s so clearly written and contains so many open doors that it’s a no-brainer.

I said “was” since ITIL has become so academic that it’s losing it’s pragmatic, easily to deploy unique selling point. Just like I don’t like Internet Security Forum, now rebranded to ISF I guess. Why I don’t like it? It is so academic, lenghty buky that it’s more like an academic schoolbook, a research product, maybe even the result of a Phd from people with high foreheads that do not work in companies but at universities. It’s not pragmatic. Imagine you are an energetic fresh information security officer and from ISO 27001 best practice point of view you are meeting up with the business owner and system owner of an IT asset and you ask them to perform a security classification (rate it along the Confidentiality, Integrity and Availability axes with High, medium and low. Sort of a BIA,). The moment you show up with an asset classification form that you just downloaded from ISF they will still smile at you but after 8 pages, they will show you the door and will think of security as a ridiculous bureaucratic failure. It’s just not implementable ! Academic wise I am sure it’s brilliant.

Going back to applauding the pragmatic approach of CISA with their security by design, let me highlight some parts from the document that really stand out:

Manufacturers are encouraged to take ownership of improving the security outcomes of their customers. Historically, software manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating secure by design practices will we break the vicious cycle of constantly creating and applying fixes.
===>>>>> Remember those days where Microsoft issued security fixes/patches/packs that were sometimes as big as the original OS?

Well before development, products that are secure by design are conceptualized with the security of customers as a core business goal, not just a technical feature.
===>>>>> This sounds like a no-brainer but it’s the mindset that makes the difference. Comparable when Maersk Oil had the zero safety incident policy. One could argue that it’s not realistic to have zero safety incidents with hundreds of oil rigs and thousands of employees but the policy signalled the intent and the commitment to go for it.

Security should not be a luxury option, but should be considered a right customers receive without negotiating or paying more.
===>>>>> This reminds me of Alex Stamos writing a cynical article about Microsofts Midnight Blizzard incident. in which he blames Microsoft for recommending potential victims of attack on their own cloud-hosted infrastructure to buy additional premium services. “They need to throw away this poisonous idea of security as a separate profit centre and rededicate themselves to shipping products that are secure-by-default while providing all security features to all customers.”

Embrace radical transparency and accountability.
===>>>>> I think they borrowed that term from Ray Dalio. The point being made is “The collective industry would benefit from more information sharing on topics such as strategies to measure the cost of security defects and to eliminate classes of vulnerability”. Radical transparency will benefit the defenders more than the adversaries.

The idea is that security must be “baked in,” and not “bolted on. [1]
I just loved that phrase and followed the footnote since I was curious where it came from. Guess what: it’s a 1972 paper from the Electronic Systems Division, written by James. P. Anderson
[1] ]

Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration.
===>>>>> In the previous version it was mentioned: Consider best practices such as providing easy integration with security information and event management (SIEM) systems.
In this version it says on page 18:

That is a leap of a lightyear !

Provide logging at no additional charge.
===>>>>> And again I am reminded of Microsoft where only companies/customers who paid for an additional logging feature could detect an attack on the Microsoft Cloud infrastructure.

One of companies that read this document is Google, as can be seen with their announcement of ChromeOS Flex where they write ChromeOS Flex is built with security as a first principle, not an afterthought

In case you want to respond, please do so by means of Twitter or e-mail. (just typer peter then add the @ symbol and then the domain name