Software security is a key consideration for any organization conducting business digitally.
Recognizing this, on August 12, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. The guide helps organizations ensure their software manufacturers prioritize security from the start by providing questions, considerations and resources to integrate product security throughout the procurement lifecycle.
The guide also complements the recently published Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.
The importance of adequate cybersecurity measures grows as more organizations digitally transform their operations. As a result, it should become commonplace for software customers to be diligent about and demand security measures as part of their procurement process.
Secure by Design
Secure by Design is a software concept that prioritizes security from the outset of the product development lifecycle by software manufacturers – those that create, ship and maintain software. Three Secure by Design principles for manufacturers are:
- Taking ownership of customer security outcomes;
- Embracing radical transparency and accountability; and,
- Building an organizational structure and leadership to achieve these goals.
A focal point of the Secure by Design concept is manufacturers ensuring that their products are secure so that customers can be more resilient against ransomware and other forms of malicious activity. Traditionally, software customers have focussed on manufacturer's enterprise security measures, letting specific product security fall by the wayside. For context, enterprise security refers to practices that protect the software manufacturers infrastructure and operation. Meanwhile, product security refers to measures implemented into specific software products by the manufacturer so the software remains secure against attackers when in operation.
Software customers can integrate product security by taking different steps at different stages of the procurement lifecycle:
ONE. Before procurement, the software purchaser should ask vendors questions to understand their approach to product security.
Examples of important questions to ask before procurement are:
- How does the manufacturer implement security patches and enable functionality for automatic updates?
- How should the product support secure authentication, for example, does the software enable multi-factor authentication?
- Has the software manufacturer eliminated default passwords or reduced the use of default passwords?
- How has the manufacturer addressed software defects and vulnerabilities?
- How does the manufacturer address its supply chain security (for example, third party dependencies and open-source)?
- Does the manufacturer make security logs available to the software purchaser?
TWO. During procurement, customers should integrate product security requirements into contract language.
THREE. Following procurement, customers should continually assess manufacturer's product security and security outcomes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.