U.S. launches secure software push with new guidelines

15 Min Read

launches secure software

Welcome to The Cybersecurity 202! This sounds like a waking nightmare. We’re off tomorrow and will see you next on Monday.

launches secure software

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The United States is pushing back against Russian disinformation, and new details emerge on the U.S. intelligence leaker. First:
A big group of international agencies gives a how-to on secure-by-design, secure-by-default

Software manufacturers should put an end to default passwords, write in safer programming languages and establish vulnerability disclosure programs for reporting flaws, a collection of U.S. launches secure software and international government agencies said in new guidelines today.

The “principles and approaches” document, which isn’t mandatory but lays out the agencies’ views on securing software, is the first major step by the Biden administration as part of its push to make software products secure as part of the design process, and to make their default settings secure as well. launches secure software.

It’s part of a potentially contentious multiyear effort that aims to shift the way software makers secure their products. It was a key feature of the administration’s national cybersecurity strategy, which was released last month and emphasized shifting the burden of security from consumers — who have to manage frequent software updates — to the companies that make often insecure products.

“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a statement. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”  launches secure software.

The idea

On the U.S. side, the CISA, National Security Agency and FBI collaborated on the guidance. Security agencies in Australia, Canada, United Kingdom and New Zealand — all the members of the Five Eyes intelligence alliance — and Germany and the Netherlands also collaborated on it. launches secure software.

According to the principles document, the end goal is: “To create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers.”

  1. “Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts.”
  2. “Secure-by-Default products are those that are secure to use ‘out of the box’ with little to no configuration changes necessary and security features available without additional cost.” launches secure software.

The guidelines include broad components, like making sure high-level executives embrace secure-by-design and secure-by-default principles. But they also include specific steps, like using memory-safe languages, conducting rigorous code reviews and considering ease of use for consumers.

The target audience for the guidelines is not just technology providers, but also customers so they know the right questions to ask when purchasing software, Eric Goldstein, CISA’s executive assistant director, told me. But the authors also want the entire technology landscape — nonprofits, universities, standards-developing bodies and more — to see it as well, Bob Lord, a senior technical adviser at CISA, told me. launches secure software.

This is only the beginning of the discussion, Goldstein and Lord said. While the agencies shared the guidelines in advance with a small number of tech firms, the idea is to have some “listening sessions” with industry to take feedback, then revise the document. Those could come as soon as later this month at the massive RSA cybersecurity conference in San Francisco. launches secure software.

Future steps also could include training sessions, workshops and other ways to connect pieces of the larger tech world for collaboration on these subjects. launches secure software.

  1. “That would be one of the major marks of success in my book,” Lord said.

The administration has also raised the prospect of legislation on secure-by-design and secure-by-default, but officials have said it could be years away. launches secure software.

CISA is touting the release of the guidance as a significant milestone in the history of the agency and software security. “This is the first time that either CISA, or any of the other cyberdefense agencies around the world, have put out this kind of guidance,” Goldstein said. It’s something to use as a “springboard to further both amplify and deepen our guidance in this area, to make it much clearer what reasonable expectations are for safe and secure products,” he said. launches secure software.
Experts weigh in

Easterly and Goldstein have held up Google as an example of instituting secure-by-design and secure-by-default practices. “I’m excited about” the guidance, Royal Hansen, vice president of privacy safety and security engineering at Google, told me. launches secure software.

Share This Article
By admin
TaazaTimesNews Blog is a technology related blog. Here you will read posts related to Technology News, Education, Blogging, Internet, News etc.
Leave a comment