Spurred to action by constant cyberattacks, high-profile breaches and an increasingly hostile threat landscape, governments around the world from the United Kingdom to Australia are cracking down on companies that produce vulnerable software or devices containing exploitable code. The effort has been spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA), which recently released its three-year stratgic plan that specifically challenges software makers to ship more secure products.
Although CISA runs it operations out of the U.S. Department of Homeland Security, the agency has quickly become a leader in fighting global cybersecurity issues since its founding in 2018. Today, guidance created by the agency has worldwide influence, with many other governments adopting some form of CISA’s suggested policies.
One good example: CISA’s Secure-By-Design guidelines, which call for shifting the responsibility for secure coding back to those making the devices, software and applications people increasingly rely on, and trust with sensitive data. The program defines what many frustrated technology users already know, that the industry needs a new model for cybersecurity in which vulnerabilities are fixed long before they reach the public.
While the guidance and the call to action for companies to produce more secure software is voluntary right now, that could change in the future as there’s growing frustration on the part of consumers who largely bear the burden of protecting their devices and applications. It’s a situation that many government officials say must change.
“We’ve normalized the fact that technology products are released to market with dozens, hundreds, or thousands of defects, when such poor construction would be unacceptable in any other critical field,” said CISA Director Jen Easterly at a recent event held at Carnegie Mellon University. “We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations, who are often least aware of the threat and least capable of protecting themselves.”
New guidance offers an amazing opportunity
While it’s easy for those who create software, devices, applications and other technology to lament the fact that CISA and other government agencies around the world are starting to shift the blame for insecure software back to manufacturers, that misses the most important point: it's an opportunity. Ultimately, producing secure software helps everyone – including the company that makes it – in addition to the users who depend on it, and the people whose data gets accessed or stored by that software or application.
I've been advocating that position for many years. Secure software benefits everyone, except for the cyber criminals who need to find and exploit vulnerabilities to ply their nefarious trade.
Beyond just those important benefits, the new guidance coupled with the possibility that voluntary guidelines could one day become mandatory also presents companies with an opportunity to improve their software coding practices. If producing secure software will one day become mandatory, then why not use that as justification to begin improving secure coding practices right now by helping the developer community get the training and tools needed to make that happen?
Organizations that embrace secure coding and make security-skilled developers the heart of their security programs will find themselves well-positioned for the day when the legal responsibility for shipping insecure code may result in fines or other consequences. Organizations that consistently produce secure code will also reap the benefits of doing so along the way – whether or not a new policy requiring it becomes mandatory.
Use secure coding practices to boost the brand
Besides eliminating vulnerabilities in software right from the development phase of new products and services, companies can also use their secure coding best practices as a way to differentiate themselves from competitors that still ship software and devices riddled with vulnerabilities.
That longstanding reality in software development has caused consumer frustration – even anger – over the current state of affairs. Consumers are tired of being targeted by attackers because of vulnerabilities in their devices and applications. When CISA Director Easterly speaks about this issue, there’s a twinge of anger in her voice at times that mirrors the frustration felt by many technology users. While it's an understandable frustration, it also presents an opportunity for companies to improve and grow trust in their brand.
By advocating security and leveraging secure coding practices, companies can align themselves with the plight of their customers, and make the compelling case that their products are superior because they are secure and free from dangerous vulnerabilities. It’s the right thing to do, and it will also show that they care about their users. If multiple companies make a similar product, and only one can certify that the code that drives their offerings is secure, which one will frustrated consumers ultimately choose?
If enough companies build secure software, it can finally shift the landscape of cybersecurity in a more positive direction for everyone involved – other than the criminals who desperately hope that nothing changes.
Pieter Danhieux, co-founder and CEO, Secure Code Warrior
