Joint international guidance: Principles and approaches to secure-by-design and by-default

CERT NZ alongside the cybersecurity authorities of Australia, Canada, United States, United Kingdom, Germany, and Netherlands have published “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.”

17 April 2023

The joint guidance urges software manufacturers to the steps necessary to ship products that are secure-by-design and -default, creating a future where technology and associated products are safe for customers.

Security-by-Design and -Default | CISA External Link

The joint agencies urge manufacturers to revamp their design and development programs to permit only products that secure-by-design and -default to be shipped to customers. 

This guidance, the first of its kind, is intended to catalyse progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products.

  • Shifting the burden of security from the customers by taking ownership of the security outcomes of their products. Making a secure configuration the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
  • Embracing radical transparency and accountability – for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.
  • Building an organizational structure that provides executive level commitment for software manufacturers to prioritise security as a critical element of product development.

The full co-branded guidance can be found on the Cybersecurity and Infrastructure Security Agency (CISA) website.

Security-by-Design and -Default | CISA External Link

Many private sector partners have made invaluable contributions toward advancing security-by-design and security-by-default. With this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.

Director of CERT NZ Rob Pope believes the guidance is an essential read for organisations wanting to contribute to global cyber resilience.

“By creating products that are secure, both by design and by default, manufacturers can take much of the burden from end-users. We know many manufacturers are already doing this and hopefully we can encourage others to take it up.”

“These steps are the cyber equivalent of seatbelts, simple inbuilt default practices that keep people safe. This publication shows that the government of Aotearoa New Zealand is serious about keeping people secure online.”

For the full media release: U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches    | CISA External Link