Lock Down the Software Supply Chain With 'Secure by Design'

Software that prioritizes security at its most foundational level means designing it with customer security as a key goal rather than a tacked-on feature. And that concept — secure by design — is becoming increasingly crucial as attackers begin targeting supply chains more frequently.

"They understand that they can have a bigger impact by successfully exploiting the supply chain," says Thomas Pace, CEO of NetRise.

Because traditional security solutions, such as endpoint detection and response (EDR), firewalls, and spam filters have become good at preventing head-on attacks, he says, attackers have to look for openings further up the chain. And pasted-together systems provide just that kind of opening.

"Cyberattacks are easier when businesses and vendors try to 'bolt on' security after the fact," says David Brumley, CEO of ForAllSecure. "It's like putting an after-market stereo in your car — it just doesn't work exactly right."

To enhance software security globally, the Cybersecurity and Infrastructure Security Agency (CISA) has proposed an initiative aimed at revolutionizing development practices by embracing secure by design principles in the software development life cycle. It reflects a significant shift toward proactive security measures.

The request for information focuses on addressing recurrent software vulnerabilities, fortifying operational technology, and assessing the impact of secure practices on costs. The call for comment, which is open until Feb. 20, 2024, also emphasizes the collective responsibility of technology manufacturers and consumers in fostering a future where technology is inherently safe and secure.

"Secure by design means security is part of how you build the software from the ground up," Brumley explains. "That means it is much more robust from attacks."

A Foundational Level of Security

Secure by design starts with architecture and risk management principles in operations before an organization migrates to or begins using the cloud, says Ken Dunham, cyber threat director at Qualys Threat Research Unit.

"This is a critical element of modern, complex hybrid infrastructure," he explains. "In a world of shared responsibility, organizations must decide what risk is acceptable to be shared — and potentially at higher risk — with third parties versus that which is fully owned and managed in-house."

The life cycle of software manufacturing is increasingly complex, Dunham notes, with many stakeholders who must be secured to reduce risk.

"Are your developers, who care about functionality and user experiences, adept at secure coding principles, modern-day attacks, security countermeasures, and SecOps?" he asks.

Organizational security expectations put pressure on onboarding teams to properly roll out, configure, and monitor software within the business architecture.

"How mature are your incident response and cyber threat intelligence services?" Dunham says. "Do you trust them in a hybrid cloud world where you may have a complex intrusion attack at blazing speed?"

Adds Brumley: "Once you have the right people, the process is well understood. You architect the product with defense in depth, make sure your dependencies and third-party software are up to date, and use a modern technique like fuzzing to find unknown vulnerabilities."

For Brumley, secure by default means designing in security that works with how people use the software.

"There are design principles that span multiple principles — just like when building a skyscraper, you need to think about everything from structural support to air conditioning," he explains.

Paradigm Shift Required in IT Security

2023 was full of examples where race conditions existed for zero days — vulnerabilities were reversed and weaponized by bad actors faster than organizations could patch them, Dunham notes.

"There are still some organizations struggling to patch Log4j vulnerabilities after all this time," he says.

Organizations must identify their attack surface, internal and external, and prioritize assets and risk management accordingly if they're to get out in front when exploitation and attack risk related to a vulnerability increases, Dunham adds.

From Pace's perspective, the IT security industry must undergo a paradigm shift in how it considers risk and how to best prioritize it — and this can only happen with visibility into the supply chain. He shares an example in which a "very large organization" did not know what dependencies its security system had when it dutifully updated that system.

"After the update, it was scanned by a vulnerability scanner and it was determined that the recent critical Apache Struts vulnerability was present," Pace says. "Now this organization has introduced a severe risk to their organization."

Secure Design in the IoT Era

One key challenge for organizations is designing security into long-lived devices, like those part of the Internet of Things (IoT), that may not have had security as a design consideration initially, says John Gallagher, vice president of Viakoo Labs at Viakoo.

"This requires more extensive testing and may require new engineering resources," he says. "Likewise, building in new security features is a way to introduce new security vulnerabilities."

Software manufacturers should embrace the use of software bills of materials (SBOMs) to find and remediate vulnerabilities more quickly, says Gallagher, noting that companies are incorporating secure by design practices into new products, which will ultimately be a competitive factor in the marketplace.

"In addition to [multifactor authentication] and restricted access privileges, other measures, like eliminating default passwords and providing mechanisms to more easily and quickly update firmware, are being designed into products," he says.

Avoiding "security through obscurity" is another tenet of secure by design, Gallagher points out. SBOMs and open source software, for example, provide security by offering transparency around the software code.

One of the areas Pace says he is most excited about as it relates to secure by default and secure by design is significantly better visibility into the software supply chain.

"Once this visibility can be achieved, we can begin to truly understand where our problems are from a foundational level and then begin to prioritize them in a way that makes sense," he says.