Amid Growing Cybersecurity Threats, Calls for Security by Design
The prevalence of cybersecurity breaches is evidence of the huge challenge faced by developers trying to build secure software. Incentivized to get their products to market quickly, software manufacturers often take shortcuts on security. The recent intent of the White House to hold vendors accountable for poor software security through legislation could be seen as an attempt to correct the current market incentives. However, developing secure software is becoming increasingly challenging as software architecture grows in complexity, with every sector of the economy being transformed by software.
Fast on the heels of this news, the US Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency, aligned with the cybersecurity authorities of Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand, created guidelines in April aimed at supporting software manufacturers to “embed security-by-design and by-default.” In this new paper, the agencies call on software makers to deploy threat modeling at the design stage to develop secure software.
The Challenge
Despite all software developers wanting to build secure software, security risks at design stage often go unnoticed. Most software security activities focus at the end of the development process, which creates problems. Scanning software through application security testing tools can miss more complex flaws in the design of an application. When you do identify a bug after completing development, remediation can be costly and time consuming. It is much better to identify and address security flaws before code is written through the process of threat modeling. There are various approaches to threat modeling, but the fundamental objective is to analyze the system design as a cross-functional team to identify potential security and privacy issues and develop solutions to solve or mitigate them.
Security by Design and Threat Modeling
Most developers today often join the workplace without the technical knowledge to build secure software, especially in threat modeling. It is a software skill that requires investment and time to learn. The focus of the developer is on the functionality that they are developing, not on how a threat actor might find a vulnerability in that new functionality. This leads us to second barrier, which is a lack of clarity over where the responsibility for security at the design stage lies, which often results in the process of threat modeling falling through the cracks.
Despite their fundamental role, the development team often views security as the responsibility of the security team. This is entirely understandable, given that in most businesses, knowledge about the process of threat modeling and of the security risks is held by the security team. Just as engineers are needed to design secure software, the security team’s insight into the evolving attack vectors used by threat actors is essential to building secure software. Until these two teams work together at the start of the software development process and a shared community practice of threat modeling is embedded with shared responsibility, this problem won’t be solved.
Embedding Security by Design
The third barrier is that, until recently, traditional approaches to threat modeling have been impractical when developing software on a large scale. For an organization that builds many thousands of applications, the traditional approach to threat modeling, as a group in a meeting room with a whiteboard, isn’t feasible. However, automation of this process is now possible. Developers can use automation to generate a threat model that contains relevant threats and countermeasures.
This recent guidance from leading cybersecurity agencies demonstrates that security by design is no longer just best practice – its fundamental in software development. The tools exist now to make it possible to achieve, but it must be a shared endeavor, with development and security teams working closely together before a line of code is written.
Editorial and Advice
Businesses must understand that software security is critical to their success amidst the rapidly growing complexity of software architectures. As technological advancements continue and cyber threats become increasingly sophisticated, software security must be ingrained in every aspect of the software development process. The US government’s intention to legislate liability for software makers to keep their manufactured products secure implies that this issue cannot be ignored any longer. In a world where security breaches can cost companies millions of dollars, consumers must demand that businesses take a proactive approach and embrace security by design as a fundamental process.
<< photo by Rayner Simpson >>
You might want to read !
- “Revolutionizing Software Distribution: Inside the New SBOM Hub for Transparency and Security”
- The Dual Life of a Sysadmin: From IT Professional to Cybercriminal Mastermind
- Why the launch of OX-GPT is a significant advancement for AppSec?
- “Enhancing Cybersecurity Preparedness: WithSecure Introduces Advanced Incident Response and Readiness Services”
- “Webinar Alert: Master the Art of Cybersecurity Defense with Zero Trust and Deception Tactics”
- KeePass Users at Risk: PoC Tool Exploits Unpatched Vulnerability to Retrieve Master Passwords
- Exploring Google’s New Rating System for Android Security and Device Vulnerability Reports
- “The ChatGPT Security Risks: How Hackers Exploit the Platform for Malicious Ends”
- Congress weaves a new technological web for CISA, with expanded role for satellite and open source software oversight
- “Privacy Concerns Raised as FTC Finds Fertility App Sharing User Data with Third Parties”
- ActZero and UScellular Partner to Provide Mobile Devices Protection Against Ransomware Attacks
