.png)
Too often, out-of-the-box technology products leave their customers exposed. They contain critical vulnerabilities, misconfigurations, and out-of-date policies. Often, patches and other remediations exist to plug these gaps, but many organizations struggle to keep up, leaving them in a reactive stance. To change this, organizations must shift to a proactive security posture, where cyber hygiene is prioritized and prevention is the goal.
This was the heart of a clarion call that was issued in the highest levels of government and business in recent years, as frustration with the status quo led to a new movement to shift the mindset of technology developers and manufacturers. Secure by Design has emerged as a new rallying point, calling on organizations to make security a feature of every technology product. The push to become Secure by Design started in the Cybersecurity and Infrastructure Security Agency (CISA), and soon spread across the executive branch of the federal government. Through the Secure by Design Pledge, it was quickly adopted by some of the most influential technology manufacturers and developers across the country. There’s an opportunity for everyone to take up this charge. In the process, security teams can shift to the front foot, and the world will become more secure.
Secure by Design calls for the integration of tools and processes that strengthen cyber hygiene throughout the technology lifecycle, creating a world where protection is deployed continuously, just like any other product update. By taking ownership of cybersecurity, technology developers and manufacturers can ensure products are safe, and empower customers to join in the effort to prioritize security.
Secure by Design is not limited to a focus on creating secure software and devices. Securing infrastructure is a crucial step that cannot be overlooked, and it is foundational both to successful operations and strengthening overall security posture. By adopting Security Control Management, organizations can apply Secure by Design principles to infrastructure, while tailoring policies to organizational requirements and automating proactive validation and enforcement. This allows government organizations and businesses to increase efficiency and reduce risk.
Secure by Design isn’t just a clarion call; it’s an actionable set of steps that organizations can take to embed security policies and best practices throughout their operations. In this piece, we’ll explore the elements of Secure by Design, and explore the implications for infrastructure and Security Control Management.
In a more connected world, security must be deeply embedded into every stage of the technology lifecycle, from development and delivery to ongoing operations. That’s why CISA released the Secure by Design principles in 2023. The core goal of these principles is to shift the responsibility for cybersecurity from the customer to the developers and manufacturers of technology. High-level principles are:
- Take ownership of customer security outcomes in product design and development
- Embrace radical transparency and accountability, including information sharing, and updating CVE records
- Build organizational structure and leadership to achieve these goals, not just at the technical level, but at the executive level as well
- By committing to these principles, organizations are well on their way to making Secure by Design a standard operating procedure.
While committing to Secure by Design principles is critical, it does not guarantee success on its own. Organizations must implement a number of tactics and practices on the journey to creating and maintaining technology that is Secure by Design. Like all technology teams, they must measure the results and pivot when necessary. This imperative is at the heart of the Secure by Design Pledge. Through this pledge, businesses make a commitment to make progress toward seven concrete goals. With the weight of the federal government behind it, the pledge has quickly gained support from hundreds of organizations, from GitHub and Google, to Microsoft and Cisco. Sicura is a proud signee, underscoring our commitment to not only the principles themselves, but the power of coming together to inspire change.
The goals of the pledge included some of the largest threat vectors in cybersecurity, including the following:
- Increase the use of multifactor authentication across products
- Reduce default passwords
- Reduce entire classes of vulnerability
- Increase security patch installations by customers
- Publish a vulnerability disclosure policy that urges testing and reporting by the public
- Update CVEs to increase transparency
- Increase customer capability to gather evidence of cybersecurity intrusions
Passwords and patches may seem like basic elements of security, but in truth, these are where some of the most common vulnerabilities lie, and serve as the entry point for attackers to wreak havoc on systems. Cybersecurity has overlooked the basics for too long. Through the Secure by Design Pledge, the federal government created a new way to promote the best practices that so often fall through the cracks, and a way to stand up and be counted. What’s more, companies that signed the pledge set out to make measurable progress toward each of these goals.
The Secure By Design Principles have major implications across the technology stack. In particular, the infrastructure and OS layer is often a source of vulnerabilities, as out-of-the-box products often contain factory default settings that are too permissive. If configurations are not updated and hardened over time, it can leave systems open to intrusion, allowing attackers to gain access to a system and move laterally to steal information.
Today, default configurations are often misconfigurations. This is leading to devastating cyber attacks. According to Microsoft, over 80% of ransomware attacks exploit common configuration errors. In 2019, an attacker exploited a misconfigured cloud storage bucket to steal personal information from 100 million credit applications to Capital One. In 2021, a misconfigured default setting in Microsoft Power Apps used by major companies and governments exposed 38 million health records on the open internet.
These attacks underscored the importance of:
- Establishing a secure baseline
- Ensuring it is continuously updated over time
Adopting Secure by Design Principles will allow organizations to take important steps to correct misconfigurations, and establish a process to enforce policies and remediate issues as they arise.
Meeting the goals of Secure by Design isn’t just a technology imperative. Businesses and government organizations must consider their organizational goals, how they will resource implementation, and the publicly-available frameworks that can help to achieve their goals.
Security controls are key mechanisms that help organizations to balance all of this, and optimize for success. Organizations that adopt a Secure by Design approach to security controls are able to ensure the application of the critical security controls necessary to protect IT assets and allow their secure development and deployment.
In particular, security controls promote the following:
- Confidentiality, to preserve authorized restrictions on information access and disclosure
- Integrity, to guard against improper information modification or destruction and ensuring information non-repudiation and authenticity
- Availability, to ensure timely and reliable access to and use of information
While these are applicable to any business, implementing them requires an approach that is unique to an organization, aligning with sector-specific policies while meeting the goals of the organization and the mission. Security controls are often mapped into compliance frameworks such as:
- PCI DSS
- NIST Cybersecurity Framework (CSF)
- NIST Special Publication 800-53
- HIPPA
- ISO 27001
With Security Control Management, organizations can ensure security controls meet Secure by Design principles, while meeting their specific needs. Security Control Management has several foundational elements, including:
- Security Profiles that are unique to an organization’s requirements, with customized controls and benchmarks chosen for the environment
- Continuous Assessment and Remediation of failing controls over time, including the addition of benchmarks
- Validation of unique profiles through scanning over time, allowing adherence to custom profiles instead of stock tools
Security Control Management is where Secure by Design is put into practice. With SCM in place, organizations can align security with operational needs, while improving incident response capabilities. That’s how a proactive security posture is built into the foundation of an organization’s technology, and continuously deployed over time.
Too often, out-of-the-box technology products leave their customers exposed. They contain critical vulnerabilities, misconfigurations, and out-of-date policies. Often, patches and other remediations exist to plug these gaps, but many organizations struggle to keep up, leaving them in a reactive stance. To change this, organizations must shift to a proactive security posture, where cyber hygiene is prioritized and prevention is the goal.
This was the heart of a clarion call that was issued in the highest levels of government and business in recent years, as frustration with the status quo led to a new movement to shift the mindset of technology developers and manufacturers. Secure by Design has emerged as a new rallying point, calling on organizations to make security a feature of every technology product. The push to become Secure by Design started in the Cybersecurity and Infrastructure Security Agency (CISA), and soon spread across the executive branch of the federal government. Through the Secure by Design Pledge, it was quickly adopted by some of the most influential technology manufacturers and developers across the country. There’s an opportunity for everyone to take up this charge. In the process, security teams can shift to the front foot, and the world will become more secure.
Secure by Design calls for the integration of tools and processes that strengthen cyber hygiene throughout the technology lifecycle, creating a world where protection is deployed continuously, just like any other product update. By taking ownership of cybersecurity, technology developers and manufacturers can ensure products are safe, and empower customers to join in the effort to prioritize security.
Secure by Design is not limited to a focus on creating secure software and devices. Securing infrastructure is a crucial step that cannot be overlooked, and it is foundational both to successful operations and strengthening overall security posture. By adopting Security Control Management, organizations can apply Secure by Design principles to infrastructure, while tailoring policies to organizational requirements and automating proactive validation and enforcement. This allows government organizations and businesses to increase efficiency and reduce risk.
Secure by Design isn’t just a clarion call; it’s an actionable set of steps that organizations can take to embed security policies and best practices throughout their operations. In this piece, we’ll explore the elements of Secure by Design, and explore the implications for infrastructure and Security Control Management.
In a more connected world, security must be deeply embedded into every stage of the technology lifecycle, from development and delivery to ongoing operations. That’s why CISA released the Secure by Design principles in 2023. The core goal of these principles is to shift the responsibility for cybersecurity from the customer to the developers and manufacturers of technology. High-level principles are:
- Take ownership of customer security outcomes in product design and development
- Embrace radical transparency and accountability, including information sharing, and updating CVE records
- Build organizational structure and leadership to achieve these goals, not just at the technical level, but at the executive level as well
- By committing to these principles, organizations are well on their way to making Secure by Design a standard operating procedure.
While committing to Secure by Design principles is critical, it does not guarantee success on its own. Organizations must implement a number of tactics and practices on the journey to creating and maintaining technology that is Secure by Design. Like all technology teams, they must measure the results and pivot when necessary. This imperative is at the heart of the Secure by Design Pledge. Through this pledge, businesses make a commitment to make progress toward seven concrete goals. With the weight of the federal government behind it, the pledge has quickly gained support from hundreds of organizations, from GitHub and Google, to Microsoft and Cisco. Sicura is a proud signee, underscoring our commitment to not only the principles themselves, but the power of coming together to inspire change.
The goals of the pledge included some of the largest threat vectors in cybersecurity, including the following:
- Increase the use of multifactor authentication across products
- Reduce default passwords
- Reduce entire classes of vulnerability
- Increase security patch installations by customers
- Publish a vulnerability disclosure policy that urges testing and reporting by the public
- Update CVEs to increase transparency
- Increase customer capability to gather evidence of cybersecurity intrusions
Passwords and patches may seem like basic elements of security, but in truth, these are where some of the most common vulnerabilities lie, and serve as the entry point for attackers to wreak havoc on systems. Cybersecurity has overlooked the basics for too long. Through the Secure by Design Pledge, the federal government created a new way to promote the best practices that so often fall through the cracks, and a way to stand up and be counted. What’s more, companies that signed the pledge set out to make measurable progress toward each of these goals.
The Secure By Design Principles have major implications across the technology stack. In particular, the infrastructure and OS layer is often a source of vulnerabilities, as out-of-the-box products often contain factory default settings that are too permissive. If configurations are not updated and hardened over time, it can leave systems open to intrusion, allowing attackers to gain access to a system and move laterally to steal information.
Today, default configurations are often misconfigurations. This is leading to devastating cyber attacks. According to Microsoft, over 80% of ransomware attacks exploit common configuration errors. In 2019, an attacker exploited a misconfigured cloud storage bucket to steal personal information from 100 million credit applications to Capital One. In 2021, a misconfigured default setting in Microsoft Power Apps used by major companies and governments exposed 38 million health records on the open internet.
These attacks underscored the importance of:
- Establishing a secure baseline
- Ensuring it is continuously updated over time
Adopting Secure by Design Principles will allow organizations to take important steps to correct misconfigurations, and establish a process to enforce policies and remediate issues as they arise.
Meeting the goals of Secure by Design isn’t just a technology imperative. Businesses and government organizations must consider their organizational goals, how they will resource implementation, and the publicly-available frameworks that can help to achieve their goals.
Security controls are key mechanisms that help organizations to balance all of this, and optimize for success. Organizations that adopt a Secure by Design approach to security controls are able to ensure the application of the critical security controls necessary to protect IT assets and allow their secure development and deployment.
In particular, security controls promote the following:
- Confidentiality, to preserve authorized restrictions on information access and disclosure
- Integrity, to guard against improper information modification or destruction and ensuring information non-repudiation and authenticity
- Availability, to ensure timely and reliable access to and use of information
While these are applicable to any business, implementing them requires an approach that is unique to an organization, aligning with sector-specific policies while meeting the goals of the organization and the mission. Security controls are often mapped into compliance frameworks such as:
- PCI DSS
- NIST Cybersecurity Framework (CSF)
- NIST Special Publication 800-53
- HIPPA
- ISO 27001
With Security Control Management, organizations can ensure security controls meet Secure by Design principles, while meeting their specific needs. Security Control Management has several foundational elements, including:
- Security Profiles that are unique to an organization’s requirements, with customized controls and benchmarks chosen for the environment
- Continuous Assessment and Remediation of failing controls over time, including the addition of benchmarks
- Validation of unique profiles through scanning over time, allowing adherence to custom profiles instead of stock tools
Security Control Management is where Secure by Design is put into practice. With SCM in place, organizations can align security with operational needs, while improving incident response capabilities. That’s how a proactive security posture is built into the foundation of an organization’s technology, and continuously deployed over time.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?