Three senior advisors from CISA discuss the importance of secure software code and explore the ongoing research and open questions for establishing a secure-by-design standard. They delve into the concept of secure-by-design, the lack of security training in top schools, and the importance of field tests. The application of principles, gaps in knowledge, measuring security, and the need for data are also discussed.
Software manufacturers need to take ownership of customer security outcomes and prioritize cybersecurity at the senior business leader level.
Collaborative efforts and partnerships among stakeholders are crucial in defining secure-by-design best practices.
Measuring the costs and benefits of implementing secure-by-design tactics, as well as collecting comprehensive data on vulnerabilities and incidents, are essential for improving software security.
Deep dives
Understanding Secure-by-Design: Principles and Implementation
In this Lawfare podcast episode, senior advisors from the Cybersecurity and Infrastructure Security Agency (CISA) discuss the concept of secure-by-design in relation to President Biden's Cybersecurity Strategy. They emphasize the need for software manufacturers to take ownership of customer security outcomes, promote radical transparency, and ensure that senior business leaders prioritize cybersecurity. They highlight the importance of understanding the cost of defects and the benefits of adopting secure-by-design practices. The discussion also explores the role of metrics in measuring security and the need for data collection, including a database of vulnerabilities and incidents. Overall, the episode underscores the importance of collaborative efforts in achieving secure-by-design standards.
Economics and Incentives in Secure-by-Design
The podcast delves into the economic aspects of secure-by-design, considering questions such as who should bear the cost of implementing security measures and how to incentivize organizations to invest in secure software. The discussion explores measuring the costs of implementing secure-by-design tactics and the benefits of eliminating classes of vulnerabilities. The episode emphasizes the need to shift the focus from short-term gains and cost savings to long-term benefits and innovation potentials. It also touches on the impact of secure-by-design on market dynamics and the role of stakeholders in driving change.
Technical Considerations in Secure-by-Design
The episode examines the technical aspects of secure-by-design and highlights the need for more transparency in the software development life cycle. The discussion emphasizes the importance of core principles, such as ownership of customer security outcomes, radical transparency, and leadership commitment. It also addresses specific technical considerations, including training developers, measuring the cost of defects, and conducting field tests to improve software security. The episode emphasizes the recurring nature of certain coding errors and the need for continuous improvement in the tech stack and memory safety. It also calls for research on the costs and benefits of adopting secure-by-design tactics.
Policy and Coordination in Secure-by-Design
The podcast explores the policy aspects of secure-by-design, focusing on coordination among stakeholders, decision-making processes, and the role of mandates versus voluntary actions. The episode emphasizes the importance of interagency collaboration and partnerships with the technology industry in defining best practices for secure software development. It discusses the need for a harmonized approach in interpreting existing standards and frameworks, and the balance between outcome-based factors and process-based components. Additionally, the episode addresses questions of liability, cost distribution, and the broader impacts of secure-by-design interventions. It highlights the role of SISA in facilitating collaboration and defining the set of best practices.
Measuring Security and Open Questions
The discussion delves into the challenges of measuring security and identifying key metrics to assess the effectiveness of secure-by-design practices. It emphasizes the need for comprehensive databases of cybersecurity incidents and vulnerabilities, highlighting the ongoing efforts of SISA. The episode underlines the importance of understanding root causes of vulnerabilities and incidents, as well as the expenses and benefits associated with secure-by-design investments. It calls for additional research on quantifying the costs and benefits of secure software and the measurement of innovation in the field of cybersecurity. The episode concludes by inviting listeners to contribute their insights and participate in shaping the future of secure-by-design through collaboration and engagement.
Secure by Design means different things to different people. As part of Lawfare’s ongoing project to understand what Secure by Design might mean in practice, we are trying to identify the open questions—areas where research or inquiry might help our collective understanding of the concept and how it might work. Lawfare Contributing Editor Paul Rosenzweig sat down with three Senior Advisers to CISA—Lauren Zabierek, Jack Cable, and Bob Lord—who work on the cutting edge of SbD design and implementation, to get their thoughts on research that would be of ongoing value to their efforts to define an SbD standard.
You can watch a video version of their conversation here.
For more information, including the resources mentioned in this episode:
