iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Cyber security bodies from nations in the Five Eyes alliance and more are cracking down on software firms that sell products with security flaws, only to then be patched later.
The Australian Signals Directorate and Australian Cyber Security Centre (ACSC), alongside cyber authorities from Canada, Germany, the Netherlands, New Zealand and the UK, joined the US’ FBI and NSA in developing a guidance report that pressures developers to release products that are secure-by-design and -default.
Fully titled “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default”, the new guidance publication outlines several core principles that “break the vicious cycle of creating and applying fixes”.
“This guidance, the first of its kind, is intended to catalyse progress toward further investments and cultural shifts necessary to achieve a safe and secure future,” said the US’ Cybersecurity and Infrastructure Security Agency.
“In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products.”
Products that are secure-by-design and secure-by-default are designed to be secure foundationally and without any additional costs or effort, respectively.
Alongside stating that software development needs to follow the above principles, the guidance made a number of recommendations to software vendors, including the notion that “the burden of security should not fall solely on the customer” and that to achieve the goal of a secure product, organisations should “build organisational structure and leadership”.
“Cyber security cannot be an afterthought,” said Abigail Bradshaw, head of the Australian Cyber Security Centre.
“Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”
Rob Joyce, cyber security director for the NSA, called insecure technology a potential risk to “individual users and our national security”.
“If manufacturers consistently prioritise security during design and development, we can reduce the number of malicious cyber intrusions we see. The international coalition partnering on this report speaks to the importance of this issue,” Joyce said.
The full guidance report and list of recommendations can be found on the CISA website.
Be the first to hear the latest developments in the cyber industry.
