The US cybersecurity agency CISA on Wednesday introduced a new type of alerts aimed at underlining the harm caused by not implementing security in the software development lifecycle.
The new Secure by Design (SbD) alerts are meant to provide information on “how vendor decisions can reduce harm at a global scale”, instead of detailing what could have been done to prevent or respond to threats.
The first installment (PDF) in CISA’s alerts series brings to light malicious activity targeting web management interfaces and how implementing security best practices and eliminating specific classes of vulnerabilities can better shield customers from these threats.
“This guidance was created to urge software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using secure-by-design principles,” CISA notes.
According to the agency, vendors can improve customer protections in web management interfaces by implementing two principles: taking ownership of customer security outcomes and embracing radical transparency and accountability.
The first principle covers application hardening, features, and default settings. “When designing these areas, software manufacturers should examine the default settings of their products,” CISA notes.
Products should enforce security best practices instead of relying on the customer to do so, such as disabling the web interface by default, preventing product operations when in a vulnerable state (such as exposed to the internet), and warning of the risks associated with changing the default configurations.
“Software manufacturers should conduct field tests to understand how their customers deploy products in their unique environments and whether customers are deploying products in unsafe ways. This practice will help bridge the gap between developer expectations and actual customer usage of the product,” CISA notes.
Per the second principle, vendors should fully embrace transparency when disclosing vulnerabilities, tracking the root cause of each security defect, and ensuring that complete details are provided with each CVE.
“Not only does this help customers understand and assess risk, but it also enables other software manufacturers to learn from mistakes fixed across the industry,” the agency says.
Additionally, CISA recommends that vendors identify and eliminate repeat classes of flaws in their products.
“To shield their customers from malicious cyber activity targeting web management interfaces, software manufacturers should adopt the principles set forth in Shifting the Balance of Cybersecurity Risk and publish their own secure-by-design roadmap that demonstrates that they are not simply implementing tactical controls but are rethinking their role in keeping customers secure,” CISA concludes.
Related: Federal Push for Secure-by-Design: What It Means for Developers
Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles
Related: White House Releases National Cybersecurity Strategy