Dive Brief:

• The Cybersecurity and Infrastructure Security Agency is seeking comment on a global effort to improve software security through major changes in development practices.
• The request for information, released Wednesday, seeks input about how to best incorporate security into the software development life cycle. Specifically, CISA is asking for input on how to tackle recurring software vulnerabilities, how to implement security into higher education, and how to enhance security into operational technology and how secure practices may impact costs.
• “Our goal to drive forward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every consumer, which in turn requires us to rigorously seek and incorporate input,” CISA Director Jen Easterly said in the announcement.

Dive Insight:

CISA has actively pushed the industry to embrace secure by design principles as part of a larger effort by the Biden administration to make security a core feature of software development.

Malicious criminal hackers and nation-state adversaries have, in many cases, launched attacks by exploiting critical vulnerabilities in software that were left exposed by customers who either continue to use old versions or failed to apply emergency security patches.

For example, major companies such as Boeing and Comcast’s Xfinity broadband entertainment business were hit by malicious hackers who exploited a critical buffer overflow vulnerability in Citrix Netscaler dubbed CitrixBleed. 

A source familiar with the secure by design plan said software manufacturers have expressed support for the effort, but CISA still needs more formal input. 

Earlier this month, IT-ISAC released a white paper calling for cloud and critical SaaS providers to embrace secure by default principles, which has been part of the larger secure by design emphasis by CISA. 

“Secure by default is a journey lots of software developers are on,” said James Dolph, CISO at Guidewire Software and co-author of the IT-ISAC report. “Our hope with the paper is we can more clearly define the goal so engineers, user-experience professionals and security teams can work towards better outcomes for their customers and other users.” 

Among the suggested changes, cloud companies could be required to institute multifactor authentication by default, automatically rotate secrets or place time restrictions on elevated-access privileges. 

Responses to the RFI are due by Feb. 20.