UK joins key allies to launch secure-by-design guidelines

The UK’s National Cyber Security Centre (NCSC) has joined with its counterparts in Australia, Canada, Germany, the Netherlands, New Zealand and the US to launch a guide containing advice to help technology manufacturers keep customers safe by embedding secure-by-design and secure-by-default principles into their products during the development phase.

Titled Shifting the balance of cyber security risk: principles and approaches for security-by-design and -default, the guide is available to download via the US Cybersecurity and Infrastructure Security Agency (CISA).

The group said that devices and products where security has been treated as an additional technical feature, or where users need to make potentially complex configuration changes to keep themselves safe after purchase, leave people needlessly exposed to security risks and potentially cyber attacks.

The guide is presented as an attempt to lessen the burden of risk on ordinary users by providing manufacturers with a roadmap of actionable steps they can, and should, be taking.

“As our lives become increasingly digital, it is vital technology products are being designed and developed in a way that holds security as a core requirement,” said NCSC CEO Lindy Cameron.

“Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer. We call on technology manufacturers to familiarise themselves with the advice in this guide and implement secure-by-design and secure-by-default practices into their products to help ensure our society is secure and resilient online.”

CISA director Jen Easterly said: “Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem.

“These secure-by-design and secure-by-default principles aim to help catalyse industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritise product safety above all else,” said Easterly.

Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC), added: “Cyber security cannot be an afterthought. Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”

Among the guide’s contents are strategies for engaging senior leadership with security principles; and tactical steps that development teams can undertake to help organisations take ownership of the security outcomes of their products, such as eliminating default passwords and implementing single sign-on (SSO) features, creating a default baseline of security whereby products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.

It urges organisations to practice “radical transparency and accountability”, such as by ensuring vulnerability advisories and newly-identified common vulnerability and exposure (CVE) records are complete, accurate and public.

It also contains advice for organisations on holding their own technology suppliers accountable for cyber security outcomes, and suggestions on improved collaboration across supply chains to incentivise secure practices.