Skip to content

CISA Introduces Secure-by-design and Secure-by-default Development Principles “The Benefits of Eating Healthy” “Reaping the Rewards of Healthy Eating”

On April 13th, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a set of principles for the development of security-by-design and security-by-default cybersecurity products. This set of principles is a direct result of the National Cybersecurity Strategy published on March 1, 2023, and was developed in collaboration between CISA, the NSA, the FBI, and foreign security agencies including those from Australia, Canada, and the UK.

The security-by-design principles suggest that developers use memory safe programming languages such as Rust, Go, Python, Java, C#, and Swift, create a secure hardware foundation, employ secure software components, and utilize SAST and DAST testing. The security-by-default principles recommend no default password, mandated MFA, single sign on via modern open standards, secure logging, and loosening guides to explain which changes users should make while listing the resulting security risks.

The purpose of this set of principles is to improve the cybersecurity of the entire nation in the face of increasing criminal and adversarial nation threats. To achieve this, developers must willingly adopt the principles and customers must insist on buying secure-by-design and secure-by-default products with the support of executive management. The Administration has already made clear that it will use its purchasing power to help persuade developers to comply.

In summary, CISA has developed a set of principles for the development of security-by-design and security-by-default cybersecurity products. These principles are in line with the National Cybersecurity Strategy, and have been developed with collaboration between CISA, the NSA, the FBI, and foreign security agencies. The purpose of this set of principles is to improve the cybersecurity of the entire nation and developers must willingly adopt the principles, with customers insisting on buying secure-by-design and secure-by-default products.

Key Points:

  • CISA has developed a set of principles for the development of security-by-design and security-by-default cybersecurity products.
  • The security-by-design principles suggest the use of memory safe programming languages, a secure hardware foundation, secure software components, and testing.
  • The security-by-default principles recommend no default password, mandated MFA, single sign on via modern open standards, and secure logging.
  • The purpose of this set of principles is to improve the cybersecurity of the entire nation.
  • Developers must willingly adopt the principles and customers must insist on buying secure-by-design and secure-by-default products.
  • The Administration has already made clear that it will use its purchasing power to help persuade developers to comply.

Leave a Reply

Your email address will not be published. Required fields are marked *

nv-author-image