Persistent use of unsecured software development practices continues, in spite of CISA's efforts to promote safer practices.
In an effort to enhance cybersecurity and reduce the risk of software vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) is urging software vendors to adopt a secure-by-design approach. This approach aims to eliminate entire classes of defects, coding errors, and vulnerabilities from software products.
According to CISA Senior Technical Advisors Bob Lord, Jack Cable, and Senior Advisor Lauren Zabierek, methods to prevent many of these classes of defect have been known for years, and even decades. The software industry can move towards eliminating classes of defects by adopting a multi-faceted approach that includes proactive vulnerability management, secure coding practices, and strong operational security measures.
Key strategies recommended or implied by CISA include timely identification and remediation of known vulnerabilities, implementing robust attack surface reduction and segmentation, using security tools and monitoring, enforcing strong authentication and access controls, updating and securely configuring devices and software, and following secure software development practices.
The secure-by-design pledge calls for software firms to stop using flawed coding such as cross-site scripting (XSS), SQL injection, directory traversal, and memory-unsafe languages. CISA unveiled these principles in April 2023, and 68 vendors signed the pledge last week at the RSA Conference in San Francisco.
However, Allison Nixon, chief research officer at Unit 221B, believes that the public pressure campaign by CISA to be unproductive. She criticizes the focus on flawed code and suggests that the true root cause of unsafe software lies in common, destructive patterns in corporate America. Nixon suggests that the federal government should focus on preventing lawyers interfering with cybersecurity work and punishing companies that harm cybersecurity by trading long-term costs for short-term gain.
Despite CISA's efforts, the problem of these defects persists, indicating a limited capability to change long-ingrained software development practices. CISA lacks regulatory power to compel companies to meet its recommendations, which may contribute to the ongoing issue.
Nixon describes the dialogue between government officials and industry stakeholders on technical matters as an "endless loop." She believes that meaningful change requires the resources, will, and power to make the behavior pattern stop.
In summary, the pathway involves prioritizing known vulnerability remediation, strengthening system architectures and access controls, deploying advanced threat detection capabilities, and embedding security throughout software development and operational processes following CISA’s strategic guidance. The software industry as a whole is not making sufficient progress in eliminating common classes of coding error, and the focus should shift towards performing root-cause analysis and working towards eliminating classes of defect.
- The Cybersecurity and Infrastructure Security Agency (CISA) suggests that the software industry can eliminate common classes of defects by adopting a secure-by-design approach, which includes strategies like timely identification and remediation of known vulnerabilities, secure coding practices, and strong operational security measures.
- CISA's secure-by-design pledge calls for software firms to stop using flawed coding such as cross-site scripting (XSS), SQL injection, directory traversal, and memory-unsafe languages, but Allison Nixon, chief research officer at Unit 221B, argues that the true root cause of unsafe software lies in common, destructive patterns in corporate America.
