CISA is pressuring technology vendors to provide secure software ‘out of the box’

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, the National Security Agency (NSA) and cybersecurity authorities in Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand have released new ones accompaniment urging software manufacturers to take the necessary steps to ship products that are designed to be secure “out of the box”.

The guidance, a report titled “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default,” aims to “encourage every technology manufacturer to build its products so that customers don’t have to constantly perform monitoring, routine updates and damage mitigation on their systems.”

>>Don’t miss our latest special issue: Data centers in 2023: doing more with less.<

“Building security into the design process is not only good practice, it is also very effective in reducing software errors before they reach the consumer. The challenge, however, is for organizations to adopt these practices without impacting the business, as this process takes time and requires resources that can impact the bottom line,” said Ray Kelly, fellow at Synopsys Software Integrity Group.

The report comes less than a year after the EU Cyber ​​Resilience Actwhich aimed to codify a cybersecurity framework for hardware and software manufacturers to improve the security of products during the design and development phase.

Both the Cyber ​​Resilience Act and the new guidelines from CISA emphasize that there is an industry-wide shift from placing the security burden on end-user organizations and customers to making software vendors more transparent and responsible for the level of bugs and vulnerabilities in released products.