In today’s digital age, software security is more essential than ever, particularly for applications that underpin critical infrastructure or support national critical functions (NCFs). Recognizing this, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, developed the Secure by Design initiative to encourage software manufacturers to prioritize security from the very beginning of the software development process. By following this guidance, manufacturers not only protect their own interests but also demonstrate a commitment to their customers’ security outcomes. 

Understanding the Secure by Design Framework 

The Secure by Design framework aims to assist software manufacturers in embedding security best practices from the outset. Although the guidance is voluntary, it offers actionable recommendations that enhance a software’s resilience against cyber threats. This is particularly important for software supporting critical infrastructure, as vulnerabilities in these systems can have widespread implications on national security, economic stability, and public safety. 

CISA’s guidance addresses three main categories of product security bad practices that manufacturers should avoid: 

1. Product Properties – Observable security-related attributes of software products. 
2. Security Features – Core functionalities that contribute to a secure environment. 
3. Organizational Processes and Policies – Internal practices and standards that promote security transparency. 

By following the recommended practices within these categories, software manufacturers can mitigate significant security risks associated with their products. 

Key Product Properties to Enhance Security 

1. Avoid Memory-Unsafe Languages: Developing software for critical infrastructure in memory-unsafe languages (like C or C++) without a strategy for mitigating memory-related vulnerabilities elevates risk. Manufacturers are urged to either transition to memory-safe languages or publish a roadmap by January 1, 2026, detailing steps for enhancing memory safety in existing products. 
2. Mitigate SQL Injection Risks: The inclusion of user-provided input directly in SQL queries can lead to SQL injection vulnerabilities. Software should enforce the use of parameterized queries to systematically prevent these attacks. 
3. Prevent Command Injection Vulnerabilities: Allowing user-provided input in operating system commands without proper delineation poses a risk. Manufacturers should adopt practices that prevent command injections to safeguard critical systems. 
4. Eliminate Default Passwords: Default passwords, especially those shared across products, are a significant vulnerability. Manufacturers should implement random, unique passwords for each instance or require users to set strong passwords during installation to enhance security. 
5. Address Known Vulnerabilities: Releasing software with known vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog significantly elevates risk. Software manufacturers are advised to patch these vulnerabilities before product release and to respond to new KEV disclosures with timely patches to protect users. 
6. Secure Open-Source Software Dependencies: Integrating open-source software with known vulnerabilities can create critical security risks. Manufacturers should maintain a software bill of materials (SBOM) for their dependencies and follow strict security measures to evaluate and update these dependencies. 

Essential Security Features for Robust Software Design 

1. Implement Multi-Factor Authentication (MFA): Lack of MFA support, especially for software used in critical infrastructure, exposes systems to unauthorized access risks. Manufacturers should ensure that MFA is supported and enabled by default for administrator accounts by January 1, 2026. 
2. Enable Intrusion Detection Capabilities: Products should provide customers with logs and artifacts to detect signs of intrusion. For cloud and SaaS products, logs should be retained for at least six months at no additional charge, allowing organizations to monitor for potential security breaches effectively. 

Strengthening Organizational Processes and Policies 

1. Publish Timely CVEs: Failing to disclose Common Vulnerabilities and Exposures (CVEs) promptly for critical or high-impact vulnerabilities weakens customer trust. CISA recommends publishing timely CVEs, complete with Common Weakness Enumeration (CWE) data, for transparency and security. 
2. Establish a Vulnerability Disclosure Policy (VDP): A VDP encourages external parties to report vulnerabilities responsibly without fearing legal repercussions. This policy should authorize testing by the public, provide a reporting channel, and adhere to coordinated disclosure best practices. 

Why Secure by Design Matters for Today’s Software Landscape 

The rapid expansion of digital systems supporting critical infrastructure means that vulnerabilities in one system can have cascading effects. CISA’s Secure by Design guidance is a proactive approach, urging manufacturers to build security into their development processes to prevent risks rather than react to them. By adopting Secure by Design practices, software manufacturers send a clear message: they are committed to protecting not only their own interests but also the public’s safety, security, and well-being. 

The Secure by Design initiative isn’t about enforcing regulations but offering a robust framework for manufacturers to voluntarily elevate their security standards. Following these best practices will help create a digital environment where security is woven into the fabric of every product, ultimately contributing to a safer, more resilient infrastructure for all. 

Final Thoughts 

Incorporating security into the very fabric of software development, especially for critical infrastructure, is a powerful step toward safeguarding the essential systems that drive our society. CISA’s Secure by Design initiative empowers software manufacturers to proactively enhance security, prevent vulnerabilities, and foster public trust in their products. By embracing Secure by Design principles, manufacturers can make a significant impact on national security and create a safer digital ecosystem for everyone. 

If you’re ready to elevate the security of your software products, The Sun Media House can help. Our expert team understands the importance of Secure by Design and works alongside software manufacturers to embed robust security practices from day one. Let us support you in developing software that not only meets but exceeds industry security standards. 

Contact The Sun Media House today to learn how we can assist you in creating secure, resilient software that meets the highest standards for critical infrastructure. Together, let’s shape a safer digital future. 

 Source – https://www.cisa.gov/resources-tools/resources/product-security-bad-practices