Publication
Joint international guidance: Principles and approaches to secure-by-design and by-default
About
Publication date: 2023
Actor
Type
Themes & Topics
About
CERT NZ alongside the cybersecurity authorities of Australia, Canada, United States, United Kingdom, Germany, and Netherlands have published “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.”
Details
The joint guidance urges software manufacturers to the steps necessary to ship products that are secure-by-design and -default, creating a future where technology and associated products are safe for customers.
Security-by-Design and -Default | CISA External Link
The joint agencies urge manufacturers to revamp their design and development programs to permit only products that secure-by-design and -default to be shipped to customers.
This guidance, the first of its kind, is intended to catalyse progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products.
- Shifting the burden of security from the customers by taking ownership of the security outcomes of their products. Making a secure configuration the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
- Embracing radical transparency and accountability – for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.
- Building an organizational structure that provides executive level commitment for software manufacturers to prioritise security as a critical element of product development.
The full co-branded guidance can be found on the Cybersecurity and Infrastructure Security Agency (CISA) website.
Security-by-Design and -Default | CISA External Link
Many private sector partners have made invaluable contributions toward advancing security-by-design and security-by-default. With this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.