nnSenior security advisor tells conference that the US agency is examiningnways to secure open source.nn
nnThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) wantsncustomers to push software manufacturers to create more secure products, thenagency’s senior technical advisor told ISC2 members this week as part of thennISC2 Spotlight event on Secure Software Development.n
nnIt is also looking more closely at ways to bolster the security ofnopen-source software, CISA’s senior technical advisor, Jack Cable, toldnattendees.n
nnThe organizationnnpublished a whitepapernnearlier this year on Security by Design, which called for the burden ofncybersecurity risk to shift from “least capable” – small companies, schools,nand local government for example – to those “most capable”.n
nnWho are the most capable? “That’s the manufacturers … that are buildingnthese products in a way that have vulnerabilities or misconfigurations thatncontinue to get exploited by attackers.” This is in line with the broadernU.S. national security effort around cybersecurity.n
nn
nSecure by Design is the Default Stance
nn
nnEnsuring products are both secure by design and secure by default, isncentral to CISA’s strategy, Cable explained. The former includes actionsnlike detailing artifacts, producing software bills of materials (SBOMs), andnlaying out roadmaps towards using memory safe languages. The latter includesnensuring products are secure “right out of the box” and don’t place an unduenburden on the user.n
nnHe explained that CISA was pursuing a three-point strategy where softwarenmanufacturers should: own security outcomes, and view customer security asnan extension of vendor security; engage in “radical transparency andnaccountability; and build organizational structures to ensure this “from thenCEO down.”n
nnHe added, “security can’t be a second-class citizen to sales or growth.”n
nnCable said one particular interest for him was ensuring that manufacturersnhave vulnerability disclosure polices, “or ideally bug bounties that offernlegal safe harbor so that researchers aren’t scared of legal action. Theynshould allow researchers to talk publicly about their findings.”n
nnThe organization’s recently updated whitepaper went into more detail on thenactions manufacturers can take to make their products more secure from thenoutset, he said, rather than leaving it in the hands of users.n
nn“It’s not easy to be a user of tech products today…but everybody has to be anuser of tech products,” he continued.n
nnWhen applications or products are not secure out of the box, customers aren“inheriting all this work.” That ranges from resetting default passwords andnpatching vulnerabilities in the first instance, to longer term burdens suchnas paying extra for IAM tools, hardening security, and more.n
nn
nImproving Education to Tackle Cybersecurity
nn
nnThe organization also wants cybersecurity to be a fundamental part of thencompsci curriculum rather than an option. Cable noted that of the top 20ncompsci universities in the U.S., only one required security to be taught atnundergraduate level.n
nnWhile CISA is pushing industry on this, and the U.S. government was usingnits own purchasing might to push this agenda, end users had a part to play,nhe said. “How do we start to get customers really asking more and asking thenright questions of their vendors?n
nn“We want customers to really start asking for these… start asking theirnvendor, ‘What is your secure by design roadmap? Or can you give me yournSBOMs?’” Customers should ask suppliers “how are you training yournemployees, or how are you actually looking for security when you’re hiringnsoftware developers.”n
nn“The more that … customers can really create that demand signal, the betternoff we are.”n
nnShipping insecure software or digital products was a business decision onnthe part of manufacturers, he said. Often the response to CISA’s efforts wasn“who’s going to pay?”n
nnBut he continued, “Our response is we’re paying for this. It’s justnoffloaded onto the customers.”n
nnSecurity by design isn’t free, and isn’t cheap to implement, he accepted.nBut compared to the existing costs associated with a lack of security, fromnransom payments, breach costs, and the costs of additional security, “Wenthink it’s better in the long run.”n
nnAnd beyond the economic impact, there is a broader issue of the “nationalnsecurity delta”, to consider. An unacceptable lack of security was causingncritical infrastructure to be vulnerable to ransomware attacks, he said.n
nnHaving customers prioritize security in discussion with suppliers, “andnenforcing that through contract language, or their purchasing decisions, Inthink that is one of the best ways we can go about doing this.”n
nn
nNot Just a Proprietary Consideration
nn
nnThis was not just an issue for closed source vendors, Cable said. Thenorganization recently ran a request for information in conjunction withnother agencies on open-source and memory safety, he said. “We got some verynthoughtful responses.”n
nnCable added, “We want to see how the federal government and CISA can helpnand spur additional improvements in security recognizing all the manynbenefits that we’ve gotten from open-source.”n
nnHe noted that the U.S. government was itself a major user of open-source,nand “has a responsibility to contribute back.”n
nnThe government was building out partnerships with open-source communities,nhe said. “For instance, principles for security for package managers, whonare in a really great position to help raise the security baseline of thenopen-source community broadly.”n
nnThe responses to the request for information would help it work out where itncould get the biggest bang per buck, Cable said.n
nnIt should be the responsibility of every company producing software, to bengood stewards “of the open source that they’re dependent upon, that they’renintegrating and using to sell their products to their customers.”n
nnThe pervasiveness of open-source means, “It’s really everyone’snresponsibility who uses open-source software to help maintain thatnecosystem.”
n- n
- More information on this ISC2 Spotlight can be foundn n here. n
- Forthcoming ISC2 conferences and Spotlights are listed on ourn n Events page. n
- There are a range ofn n Skill-Builders available focused on software security, all of which can earn you CPE credits and are free to ISC members. n