By Stephen de Vries, CEO, IriusRisk
In 2023, we saw governments and global cybersecurity agencies begin to put the building blocks in place for secure design and take cyber defense to the software and system vendors. The US took significant strides in developing legislation and guidance for software manufacturers, and across Europe we saw further tightening on cybersecurity requirements for all hardware and software products with the Cyber Resilience Act.
This year it is about action. In 2024, organizations need to respond to the guidance and regulations and ensure the implementation of security by design in software development and architecture to protect against the cyber threat.
It is vital that cybersecurity professionals understand how to implement security by design and how to approach some of the organizational challenges they may need to overcome. But before we examine what businesses need to do, let’s remind ourselves of what was introduced.
A changing regulatory landscape
The US took the lead and introduced the National Cyber Security Strategy in March 2023 which committed to developing legislation to make software developers liable for security. This was followed by the QUAD nations (Australia, India, Japan and the United States) releasing the “Joint Principles for Secure Software” which included an agreement to require security-by-design within government software procurement rules.
Later in the year, the White House published its Implementation Plan for the National Cyber Security Strategy which put in place a public-private partnership to drive the development and adoption of software that is secure-by-design and default. CISA also published recommendations on how software manufacturers can implement secure design.
This raft of regulation and guidance in 2023 clearly set out the direction of travel for governments and legislators; the future is security built right into the design of systems themselves, rather than added after the fact.
So, what is security-by-design and how can organizations begin to put it into practice?
Secure Design and Threat Modeling
To create software that is secure-by-design, we need to identify threats to the security of the data and assets, and assess and mitigate the risks before we begin building the software.
No software manufacturer sets out to build software that is insecure. But the reality is that developers are incentivized to get software to market as quickly as possible and worry about security later. However, trying to fix flaws after software has been built is both time consuming and expensive. So we need to tackle this issue from the very beginning before a single line of code is written. Threat modeling is how we do this.
Threat modeling is the process of analyzing software for potential threats and determining the most effective ways to mitigate them and is fundamental to secure design. Originally developed by Microsoft in 2005, the threat modeling process can easily be understood using Adam Shostack’s four question framework designed to help teams build more secure systems:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
In the past, threat modeling has been done on a whiteboard as a collaboration between cybersecurity teams and developers. However, at a time when organizations are building thousands of applications, this manual process of identifying threats is becoming increasingly impractical.
This is where automated threat modeling can make things easier. Developers can input the data of “what are we working on” into a tool, and then rely on automation to generate a threat model containing relevant threats (“what can go wrong”) and countermeasures (“what are we going to do about it”). Hence, reducing the time and effort for security teams so they do not have to start from scratch with every new piece of software.
Implementing secure design in your organization
For it to be effective, we need developers and software architects to engage with secure design and threat modeling. However, it is not as simple as asking developers to focus more on security because they do not always have the right skills or experience to be able to identify vulnerabilities. Most developers graduate without having learnt the technical knowledge needed to build secure software or how to threat model. Whilst they are highly skilled at developing the functionality of a web application, they are not always equipped to think about how threat actors would exploit security flaws in that functionality.
As a result, in many organizations the onus falls on security teams to test software for vulnerabilities with security testing tools. The problem is they usually get involved once the software code has already been written. This is too late for designing secure software because the design flaws are already embedded at this stage.
Instead security and developer teams must work together collaboratively from the very beginning of the software development process in order to develop software more efficiently and safely. Only then can software flaws be identified and mitigated before software is built.
Unfortunately, we often see a lack of clarity over responsibility for security by design meaning that it can fall through the cracks. This is when senior leaders need to get involved to ensure threat modeling is prioritized as a strategically important activity. If the raft of rules and regulations coming out of government isn’t enough for senior leaders to take note, then nothing will be.
A rapidly changing environment
Within a year we have seen a vast amount of regulation and guidance around cybersecurity and how organizations can protect themselves against cyber attacks and threats. Not only in the US, but globally.
Add into the mix the emergence of new technology, such as machine learning and artificial intelligence, which is already having a significant impact on the cyber threat landscape – and it becomes more important to ensure security is prioritized from the start of the development process.
This is the year for organizations to take action and get ahead of this to implement secure design and threat modeling into software development from the early stages. It is more important than ever for businesses to be on the front foot, otherwise they will get left behind.
About the Author
Stephen de Vries is the co-founder and CEO at IriusRisk. He started his career as a C, C++ and Java developer, before moving into software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing. Stephen can be reached online at linkedin.com/in/stephen-de-vries-4185a8 and on our company website https://www.iriusrisk.com/.
Source: www.cyberdefensemagazine.com