CISA Announces Secure by Design Alert Series: How Vendor Decisions Can Reduce Harm at a Global Scale


By: Eric Goldstein, Executive Assistant Director for Cybersecurity and Bob Lord, Senior Technical Advisor

CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. We continuously publish alerts and advisories to help defenders prioritize their work based on the current threats and software vulnerabilities. We additionally provide defenders with ongoing help prioritizing their scarce resources; for example, our Known Exploited Vulnerabilities (KEV) program identifies the common vulnerabilities and exposures (CVEs) that malicious actors are actively exploiting in the wild.

But to reduce the nation’s risk, we need to do more than warn defenders about the most current attacks and software vulnerabilities. We need to look much further “left-of-boom” and into the software development practices in order to fix things before intrusions cause harm to the American people. We need to identify the recurring classes of defects that software manufacturers must address by performing a root cause analysis and then making systemic changes to eliminate those classes of vulnerability. We need to spot the ways in which customers routinely miss opportunities to deploy software products with the correct settings to reduce the likelihood of compromise. Such recurring patterns should lead to improvements in the product that make secure settings the default, not stronger advice to customers in “hardening guides”.

Most importantly, we need to convey that insecure technology products are not an issue of academic concern: they are directly harming critical infrastructure, small businesses, local communities, and American families. Today CISA is launching a new series of products: Secure by Design Alerts. When we see a vulnerability or intrusion campaign that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles, we’ll call it out. Our goal isn’t to cast blame on specific vendors; to the contrary, we know that vendors make software development and security choices as part of broader business decisions. Instead, our goal is to shine a light on real harm occurring due to these “anti-security” decisions. While the usual dialogue around an intrusion is about how victims could have done more to prevent or respond, alerts in this new series will invert this dialogue by focusing attention on how vendor decisions can reduce harm at a global scale.

Our first publication in the Secure by Design Alert series focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices and eliminated repeat classes of vulnerabilities in their products – and aligned their work to Secure by Design principles.

One of the core principles we identified in our Secure by Design whitepaper is to “take ownership for customer security outcomes”. By identifying the common patterns in software design and configuration that frequently lead to customer organizations being compromised, we hope to put a spotlight on areas that need urgent attention. The journey to build products that are secure by design is not simple and will take time. We hope Secure by Design Alerts will help software manufacturers evaluate their software development lifecycles and how they relate to customer security outcomes.