CISA Publishes Joint Advisory

CISA in collaboration with all major Western security organisations, published a joint advisory to all software manufacturers. This call to action explicitly calls out the importance of executive leadership in driving the “Secure-by-Design” & “Secure-by-Default” mindset. It speaks to the need for greater transparency and lessening the burden of the customer to secure these products.

The advisory begins by mapping out three simple Software Product Security Principles:

“1. The burden of security should not fall solely on the customer. Software manufacturers should take ownership of the security outcomes of their customer’s purchase and evolve their products accordingly.
2. Embrace radical #transparency and #accountability. Software manufacturers should pride themselves in delivering safe and secure products, as well as differentiating themselves among the rest of the manufacturer community based on their ability to do so. This may include sharing information they learn from their customer deployments, such as the uptake of strong #authentication mechanisms by default. It also includes a strong commitment to ensure #vulnerability advisories and associated common vulnerability and exposure (#CVE) records are complete and accurate. However, beware of the temptation to count CVEs as a negative metric, since such numbers are also a sign of a healthy #codeanalysis and testing community.
3. Build #organizationalstructure and #leadership to achieve these goals. While technical subject matter expertise is critical to product security, senior executives are the primary decision makers for implementing change in an organization. "

I encourage all executives responsible for the production of software products to read this 15 page document.