What is Secure by Design? A Guide for Enterprise Businesses

In today’s interconnected world, technology permeates every aspect of our lives. From personal identity management to medical care, internet-facing systems connect us to critical infrastructure that impacts our economic prosperity, livelihoods, and even health. However, this convenience comes with a significant downside: the ever-present threat of cyberattacks.

Vulnerable by Design: A Growing Problem

Global cyber breaches are becoming increasingly common, with consequences ranging from hospital surgery cancellations to disruptions in critical services. Insecure technology and vulnerabilities in critical systems create opportunities for malicious actors to exploit weaknesses and compromise sensitive data. This reality underscores the urgent need for a fundamental shift in how software is designed and developed.

Secure by Design: A Proactive Approach to Cybersecurity

Secure by Design is a philosophy that emphasizes building security into the very core of software development, from the initial conceptualization to deployment and beyond. It’s about proactively preventing vulnerabilities rather than reacting to them after they’ve been exploited.

Key Principles of Secure by Design

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and a coalition of international partners have outlined three core principles for Secure by Design:

1. Take Ownership of Customer Security Outcomes

This principle emphasizes that software manufacturers should prioritize the security of their customers as a primary business objective, not just a technical feature. This means taking responsibility for the overall security posture of their products and ensuring they are resilient against prevalent cyber threats.

Key Considerations:

• Application Hardening: Implement processes and technologies that increase the cost and difficulty for malicious actors to compromise applications. This includes techniques like input validation and sanitization, using memory-safe programming languages, and rigorous software development lifecycle (SDLC) management.
• Security Features: Incorporate features that enhance the security of the product, such as Transport Layer Security (TLS) for network connections, multi-factor authentication (MFA), security event auditing, and role-based access control (RBAC).
• Secure Default Settings: Configure products with secure default settings “out of the box,” minimizing the need for customers to manually adjust configurations and reducing the risk of misconfigurations.
• Shifting the Burden: Instead of relying on customers to constantly patch vulnerabilities and implement security measures, manufacturers should take responsibility for proactively mitigating risks and ensuring their products are secure by default.

2. Embrace Radical Transparency and Accountability

Software manufacturers should be transparent about their security practices and actively engage with the security community. This includes:

• Publicly Sharing Information: Sharing insights gained from customer deployments, such as the adoption of strong authentication mechanisms, to foster a collaborative approach to security.
• Comprehensive Vulnerability Reporting: Providing detailed and accurate vulnerability advisories and Common Vulnerability and Exposure (CVE) records to enable timely mitigation.
• Continuous Improvement: Regularly assessing and improving security practices based on feedback from customers, security researchers, and the broader community.

3. Lead from the Top

Achieving a Secure by Design culture requires strong leadership from senior executives. This means:

• Prioritizing Security: Recognizing security as a critical element of product development and allocating resources accordingly.
• Building a Security-Focused Culture: Establishing policies and procedures that reward and incentivize teams for implementing secure development practices.
• Accountability and Oversight: Holding teams accountable for delivering secure products and establishing independent security assessment and evaluation programs.

Secure by Design Tactics

To implement these principles effectively, manufacturers should consider a range of tactics:

• Threat Modeling: Conduct thorough threat modeling during the design and development phases to identify potential vulnerabilities and design appropriate mitigation strategies.
• Secure Development Practices: Implement robust SDLC processes that incorporate security considerations at every stage, from requirements gathering to testing and deployment.
• Code Review and Static Analysis: Utilize code review and static analysis tools to identify potential vulnerabilities early in the development process.
• Penetration Testing: Conduct regular penetration testing to simulate real-world attacks and identify exploitable weaknesses.
• Bug Bounty Programs: Offer incentives to security researchers to discover and report vulnerabilities, encouraging a collaborative approach to security.

Secure by Default: A Foundation for Secure by Design

Secure by Default is a crucial aspect of Secure by Design. It means products are configured securely “out of the box” with minimal or no configuration required by the user. This ensures that even users with limited technical expertise are protected from common vulnerabilities.

Key Principles of Secure by Default:

• Secure Configuration as the Default: Automatically enable essential security controls to protect against prevalent threats.
• User-Friendly Security: Make security configurations easy to understand and manage, minimizing the burden on users.
• No Additional Cost for Security: Include security features as standard components of the product, without charging extra for enhanced security.

Benefits of Secure by Design for Enterprise Businesses

Adopting a Secure by Design approach offers numerous benefits for enterprise businesses:

• Reduced Risk of Cyberattacks: Proactively mitigating vulnerabilities reduces the likelihood of successful attacks, safeguarding sensitive data and critical infrastructure.
• Improved Security Posture: Stronger security controls and default settings enhance the overall security posture of the organization.
• Lowered Costs: Reduced vulnerabilities lead to fewer security incidents, resulting in lower costs associated with remediation, incident response, and reputational damage.
• Enhanced Compliance: Secure by Design practices align with industry standards and regulatory requirements, simplifying compliance efforts.
• Improved Business Reputation: Demonstrating a commitment to security builds trust with customers and partners, enhancing the organization’s reputation.

Secure by Demand: The Role of Enterprise Customers

Enterprise customers play a crucial role in driving the adoption of Secure by Design. They can:

• Demand Secure Products: Insist on products that are built with security as a primary consideration and incorporate Secure by Default features.
• Ask Critical Questions: Engage with vendors to understand their security practices and ask questions about their commitment to Secure by Design.
• Collaborate with Vendors: Work with vendors to identify and address security risks, fostering a collaborative approach to security.

UK’s Government’s Secure by Design Guidelines: The Ten Principles of Secure by Design

The UK Government’s Secure by Design policy outlines ten key principles that should be adopted by all organizations, particularly government departments and arm’s-length bodies (ALBs), to ensure the security of their digital services. These principles are designed to be flexible and adaptable to different contexts, allowing organizations to tailor them to their specific needs while still adhering to the core principles.

Ten Principles of Secure by Design (UK Government)

1. Create Responsibility for Cyber Security Risk: Assign clear ownership for managing cyber security risks throughout the service lifecycle. This responsibility should be held by senior stakeholders with the authority and expertise to lead on security activities.
   • Outcomes: Cyber security is considered at the highest levels of leadership, aligning with the project’s risk appetite. Adequate resources are allocated to manage security risks effectively throughout the service lifecycle.
   • Activities: Integrate security considerations into the business case, identify necessary security resources, establish clear roles and responsibilities for security management.
2. Source Secure Technology Products: Conduct rigorous security due diligence when selecting third-party products. Continuously assess platforms, software, and code for security vulnerabilities. Mitigate identified risks and share findings with suppliers to encourage them to improve product security.
   • Outcomes: Informed decisions are made regarding the trade-offs between security, performance, usability, and functionality. Risks associated with using third-party products are minimized.
   • Activities: Manage third-party product security risks, discover vulnerabilities, and implement appropriate mitigation strategies.
3. Adopt a Risk-Driven Approach: Establish a clear understanding of the project’s risk appetite and maintain a dynamic assessment of cyber security risks. This ensures that security controls are appropriate for the evolving threat landscape.
   • Outcomes: A dynamic risk management process is in place to respond to emerging threats.
   • Activities: Integrate security considerations into the business case, define the project’s security risk appetite, understand relevant cyber security obligations, document service assets, assess the importance of service assets, conduct threat modeling and security risk assessments, agree on a set of security controls for the service, respond to and mitigate security risks, and retire service components securely.
4. Design Usable Security Controls: Conduct regular user research and incorporate findings into service design to ensure that security processes are user-friendly and effective.
   • Outcomes: A secure service with security controls that minimize friction for users. Insecure practices are avoided by removing incentives for users to find workarounds.
   • Activities: Integrate security considerations into the business case, understand business objectives and user needs, respond to and mitigate security risks, assess the effectiveness of security controls.
5. Build in Detect and Respond Security: Design for the inevitability of security vulnerabilities and incidents. Integrate robust security logging, monitoring, alerting, and response capabilities. These capabilities should be continuously tested and iterated upon.
   • Outcomes: Effective capabilities to detect, respond to, and recover from incidents. Fewer vulnerabilities that could be exploited or go undetected.
   • Activities: Respond to and mitigate security risks, assess the effectiveness of security controls, implement a vulnerability management process, discover vulnerabilities, manage observability.
6. Design Flexible Architectures: Implement digital services and update legacy components to facilitate the easy integration of new security controls. This ensures responsiveness to changes in business requirements, cyber threats, and vulnerabilities.
   • Outcomes: Changes can be made without compromising security. Faster response times to evolving cyber threats.
   • Activities: Respond to and mitigate security risks, assess the effectiveness of security controls.
7. Minimize the Attack Surface: Use only the necessary capabilities, software, data, and hardware components to mitigate cyber security risks while achieving the service’s intended purpose.
   • Outcomes: Reduce opportunities for attackers to exploit vulnerabilities in the service. Make the service more cost-effective to operate and maintain.
   • Activities: Document service assets, perform threat modeling, respond to and mitigate security risks, assess the effectiveness of security controls, discover vulnerabilities, manage observability, retire service components securely.
8. Defend in Depth: Create layered controls across the service to make it harder for attackers to fully compromise the system if a single control fails or is overcome.
   • Outcomes: Increase the time, effort, and cost required for an attacker to compromise the service. Contain the impact of vulnerabilities.
   • Activities: Respond to and mitigate security risks, assess the effectiveness of security controls.
9. Embed Continuous Assurance: Implement continuous security assurance processes to build confidence in the effectiveness of security controls, both at the point of delivery and throughout the operational life of the service.
   • Outcomes: Risk owners are provided with evidence that security controls and capabilities operate as intended. The service is built and maintained with the appropriate controls to mitigate security risks. Security controls operate effectively and are updated to reflect changes in the service or threat landscape.
   • Activities: Integrate security considerations into the business case, define the project’s security risk appetite, understand relevant cyber security obligations, implement a vulnerability management process, track Secure by Design progress, assess the effectiveness of security controls.
10. Make Changes Securely: Embed security into the design, development, and deployment processes to ensure that the security impact of changes is considered alongside other factors.
    • Outcomes: The security of the service is not compromised by changes or updates.
    • Activities: Agree on a set of security controls for the service, evaluate the security impact of changes, retire service components securely.

Conclusion: A Shared Responsibility for a Secure Future

Secure by Design is not just a technical approach; it’s a cultural shift that requires a shared commitment from both software manufacturers and enterprise customers. By embracing this philosophy, we can create a future where technology is inherently secure, resilient, and trustworthy.

Key Takeaways for Enterprise Businesses:

• Prioritize Secure by Design: Insist on products that are built with security as a core principle.
• Engage with Vendors: Ask critical questions about security practices and demand transparency.
• Advocate for Secure by Default: Encourage vendors to adopt secure default settings and make security features readily available.

By working together, we can build a more secure digital landscape for everyone.