Introduction
In a speech at Carnegie Mellon University (read the transcript here), CISA Director Jen Easterly urged consumers, businesses, and especially technology companies to change their approach in regard to cyber security. She also lamented the normalization of operations on the edge of the accident boundary by utilizing the users as “crash test dummies” for new technology.
The CISAs Directors' vision is a technology created with “security by design”, strong security as a base feature, and prioritization of consumer safety at all steps of the development process.
People should no longer accept cyber vulnerabilities
Americans should not accept the fact that critical infrastructure and they themselves are vulnerable to cyber-attacks. It is a real threat and in light of current global crises, it's growing in importance and it’s turning into a more and more serious problem.
In order for the US as a nation and global communities to be prepared for these types of events, everyone will need to work together towards solutions that will help protect critical infrastructure, businesses, and individuals from cyber threats.
The culture of secrecy around cyber attacks needs to end
To that end, CISA Director Easterly urges organizations to end the culture of secrecy around cyber attacks.
Organizations need to be transparent about cyber attacks and share information with vendors and with the public so that they can protect themselves. The culture of secrecy leads to the reusability of exploits and flaws in future attacks, a state that only increases the danger to everyone. “A cyber threat to one organization is a cyber threat to all organizations”.
Unsafe release states of technology are unacceptable
Companies should not continue to release unsafe technology products into the market. They must be held accountable for the safety of their products and held responsible for any damages caused by them. To that end, the blame for cyber attacks should not necessarily lie with the victims, responsibility falls more to the producers of unsafe technology.
Therefore, a model of more sustainable cybersecurity is needed, where responsibility for defending the ecosystem lies with those with the most capabilities and in the best position to do so and where investments in safety and resilience are incentivized.
The current model for developing technology needs to be disrupted and replaced with one that prioritizes safety from the beginning
The current model for developing technology needs to be disrupted and replaced with one that prioritizes safety from the beginning.
Security by design is a good start, but it's not enough. We need to prioritize security at every step of development, including choosing memory-safe languages like Rust or Go over C++ and C, mandating transparency from vendors, and increasing the prioritization of security in software development processes so that we're not just fixing bugs after they've been introduced into code bases by developers who aren't thinking about them ahead of time.
This approach will not only be more beneficial in the long run in regard to security, it also has economic advantages. By having a secure environment, the costs of maintaining your product and keeping up with the latest security standards get reduced. Human, technological, and monetary resources that you would normally need to fix security exploits in your live patches can instead be used in other departments if your product is safer from its release state with the measures described above.
Technology companies should transition to using memory-unsafe languages in their development process
Technology companies should transition to using memory-unsafe languages in their development process.
Memory-unsafe languages are vulnerable to memory corruption bugs, which are a type of security vulnerability that can allow an attacker to execute arbitrary code on a system or cause other damage. The most common causes include buffer overflows and out-of-bounds array accesses (OBA).
Regulation needs to be adjusted
Jen Easterly admits that the government has its role to play in those developments as well by incentivizing outcomes and operationalizing principles. She cites efforts taken by the Biden administration to use the purchasing power of the government to create better security outcomes. Establishing software security requirements for federal contractors and efforts towards the adoption of security labels for connected consumer devices are chosen as examples. Additionally, she wants to shift liability onto entities that fail to live up to the duty of care they owe their customers through the advancement of legislation.
One concrete measure taken by CISA to support radical transparency in technology software in products is their focus on advancing the use of Software Bill of Materials (SBOMs), an inventory of open-source components, and other code dependencies.
Adopting "security by design" principles would help ensure that developers create safe products from start to finish rather than simply patching them after they've been released
Security by design is a mindset. It's a process, it's a culture and it's an industry standard that requires the cooperation of all stakeholders to succeed.
It's important for developers to recognize that security is not just about protecting data or systems--it also means making sure users are protected from malicious actors who might harm them in some way. This can be done by building in privacy controls right from the start of any project, rather than adding them later on as an afterthought (or not at all).
Security by design requires cooperation between all stakeholders: developers must work together with product managers and user experience experts; technical teams must collaborate with legal teams, marketing should be involved early on so they know how they can best promote their products while still remaining compliant with regulations such as GDPR and salespeople should be educated about these issues so they can better explain to them when speaking with customers.
Codenotary
Codenotary is wholeheartedly committed to providing the best and most secure products to our customers. To that end, our software is almost entirely coded in the memory-safe language Go and it is designed to help you enforce and simplify security at every step of your development and software delivery lifecycle.
Because of our expertise in the field of SBOMs, we have been named one of three IDC Innovators in the field (more on that here). Our products Trustcenter/Enterprise and Trustcenter/Teams have been created in compliance with US government guidelines using our Trustcenter TrueSBOM® to maintain a list of all your open-source components and dependencies. Earlier exposure of security issues and lowering the remediation costs are just some of the features Codenotary’s Trustcenter can provide to you.
Join our many partners in using our products to further increase your cyber security and protect you, your company and your customers with a software delivery lifecycle with maximum safety and security.
Conclusion
CISA desires a mentality shift in the technology industry, prioritizing cooperation in regard to security and overall secure design to increase overall cybersecurity at every step of software development and deployment. Using Codenotary’s Trustcenter is an easy step you can take to increase your cybersecurity and follow CISA’s vision.
