The country’s top cybersecurity agency is urging developers to take steps to ensure the software they’re building and the products they roll out are secure and protect end users.
The Cybersecurity and Infrastructure Security Agency (CISA) this week rolled out a series of recommendations that it wants businesses and critical infrastructure organizations to adopt to protect themselves against the growing cyberthreats they face.
The 18 “voluntary practices with high-impact security actions” – divided between recommendations for software development processes and product design – are part of a larger push by CISA over the past few years to secure the software supply chain and to shift the responsibility of security from the users of products to the organizations that create them.
They dovetail with the agency’s secure-by-design efforts, which advocate for address security throughout the software development lifecycle. They also reflect the Secure Software Development Framework developed by the National Institute of Standards and Technology (NIST), according to Chris Hughes, chief security advisor at software supply chain security firm Endor Labs and a CISA Cyber Innovation Fellow.
“They’re good reminders and solid cyber hygiene recommendations that most organizations should be doing, especially those in IT- and product-centric development environments, with ramifications for downstream customers and consumers,” Hughes said.
MFA, SBOMs and More
None of the recommendations should come as a surprise to developers. Regarding software development, CISA recommends developers separate all the environments in the process, such as development, build, test, and distribution, enforce multifactor authentication (MFA) across all of them, eliminate the use of insecure storage and transmission of plaintext credentials, used automated tools to test software for vulnerabilities and deal with security flaws before releasing the software.
In addition, the agency wants organizations to make software bills-of-material (SBOMs) – a key security step that CISA has been advocating for to detail all the components used to create the product – available to customers.
For product design, key steps include broader use of MFA for customers, eliminating default passwords, releasing security patches broadly and promptly, and enabling users to understand, monitor, and respond to cybersecurity issues affecting products, such as initial access, privilege escalation and lateral movement.
Businesses also need to be clear with users when products are reaching end-of-life and security patches will no longer be available for them.
A Good Start
While applauding CISA’s efforts, Hughes said there are other areas that should have been emphasized more.
“There is some language around vulnerabilities,” he said. “It could be taken a step further with an emphasis on prioritizing known exploitation, exploitation probability, and reachability for not just internal vulnerability management efforts but in external communications through vulnerability disclosures, for example.”
Other areas of emphasis could have been open-source software governance and security and broader specifications for cybersecurity supply chain risk management (C-SCRM) for third parties, including software-as-a-service (SaaS) providers.
What About C-SCRM?
Supply chain risk management is a fast-growing market, with Introspective Market Research analysts expecting the space to expand from $3.46 billion in 2023 to $7.68 billion by 2032. C-SCRM is a more specific area of the market that focuses on identifying, analyzing, and mitigating vulnerabilities, data exposures, and similar security issues in IT and operational technology products and services. It’s a process pushed by NIST, the General Services Administration (GSA), and other government agencies.
What will be most challenging is that these steps are voluntary, Hughes said, adding that they “will conflict with competing priorities organizations have, such as speed to market, revenue, feature velocity and market share, all of which CISA has themselves cited as challenges with efforts such as Secure-by-Design.”
It’s also unclear how CISA’s mandate will change under the incoming presidential administration, which has long been an opponent of regulations on the private sector and is expected to narrow the agency’s responsibilities.
