Security by Default: The Crucial Complement to Secure by Design
Legacy cybersecurity systems – many designed over a decade ago – fail to account for the new breed of attacker capabilities and vulnerabilities – nor for the reliance on human configuration that is the Achilles heel of so much software.
This new reality is being answered with the software development concept called security by default, a necessary complement to the principles of Secure by Design set forth by the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
Secure by Design principles stress embedded security throughout software design and development. Security by default ensures a zero-day product is inherently secure out of the box. No complex setup is needed because core security features like secure logging and authorization are pre-configured.
Threats are evolving – and accelerating
Until recently, most systems had a limited "blast radius." Protected by firewalls, they were contained, so access was restricted to a select few within an organization. Attackers lacked an open playing field they could crawl in search of weaknesses. They couldn't automate their assaults, and the entire attack process – finding a vulnerability, weaponizing it by crafting an exploit and deploying the weaponized attack – took weeks at least, and often months.
This limited not only the speed of attacks but also their scale. Attackers had to target organizations one by one, figuring out ways to bypass specific controls. The overall rate of attacks was low, and even when they did occur, the impact was relatively contained due to the time and effort attackers had to invest.
Related: 8 Attack Surface Reduction Best Practices for Organizations
When we talk about “an evolving cyber threat landscape,” this is nearly an understatement, because natural or even technical evolution has never been this rapid. In only a few years, it has morphed into a digital Thunderdome, an arena that imperils the poorly protected like never before.
This is because attackers have been able to capitalize on three key developments:
- Today’s attackers can quickly weaponize vulnerabilities, and artificial intelligence tools are making that even easier. Gone are the days of lengthy disclosure windows. Automated scanning tools and exploit kits readily available on the dark web let even less-technical attackers get in on the malware game. Zero-day attacks are a growing concern as attackers become more agile at exploiting vulnerabilities before a patch exists.
- Cloud adoption has created a broader attack surface as distributed cloud infrastructure makes it difficult to secure and monitor data. The shared security responsibility model between cloud providers and users can lead to vulnerabilities if misconfigured or not fully understood. Additionally, cloud applications often rely on APIs for communication, which can introduce vulnerabilities if not properly secured.
- Traditional security measures like firewalls and antivirus aren't keeping pace. Firewalls can be bypassed through social engineering even as antivirus struggles to detect brand new zero-day threats. The perimeter-based security approach is outdated in the cloud era, where Secure by Design principles need to be implemented throughout the entire IT infrastructure.
Bad guys are ready to probe for weak points or launch attacks the moment a product gets activated. So, that product must have robust, zero-day defenses in place the instant it is turned on and connected to an organization’s network.
Related: Secure by Design Principles Are More Important Than Ever
The three pillars of security by default
Proper execution of security by default rests on three fundamental pillars.
Shift-left security
Shift-left focuses on catching vulnerabilities early in the development process. Developers need to write secure code, avoiding common pitfalls identified in resources like the OWASP Top 10 (web application security vulnerabilities) and CWE Top 25 (common software weaknesses).
An analogy is preventive medicine, where wellness practices and inoculation can protect a person from illness. By focusing on secure coding practices from the start, developers are building immunity and resilience right into the software.
Enforcing secure configurations
When human beings configure their new software, hackers celebrate. To eliminate misconfiguration errors, software providers must enforce secure configurations by default. This includes multi-factor authentication (MFA) or single sign-on (SSO) and avoiding hard-coded credentials (passwords or tokens) or default configurations that have vulnerabilities already known to attackers.
Enforcing secure configurations ensures consistent security across all deployments, regardless of user experience or technical expertise. It also simplifies user experience, since they don’t have to make configuration decisions.
Securing the software supply chain
Like automative and aerospace manufacturing, modern software development has become an assembly line – one that relies heavily on third-party libraries and open-source code. Under security by default, developers need to pay strict attention to the security of these components so they don't introduce vulnerabilities.
Related: The Secure by Design Pledge: A Commitment to Creating a Safer Digital Future
Measuring security by default
Today, a provider can take advantage of instrumentation and telemetry to monitor the performance of security by default features. If the product is on-premises, enabling telemetry will involve punching holes in a firewall for the data to leave the user's network. If it’s in the cloud, it's easier to allow telemetry to flow back to the provider.
In either situation, it’s a matter of mutual consent: The software user must enable the default telemetry so the provider can look at the software's behavior and see if its inbuilt security controls are being implemented. Fortunately, this also means the user does not have to intervene to enable security features. A provider can do so remotely if it has customer consent.
Getting ahead of evolving threats
The best-intentioned, hardest-working cybersecurity professionals are still at the mercy of the data and insights they have in hand. For instance, traditional vulnerability lists like the OWASP Top 10 and CWE Top 25 are key to security awareness but have limitations:
- Updates to the lists still leave a window of vulnerability between discovery and mitigation. Attackers exploit this gap by targeting "outlier" vulnerabilities that are not yet listed.
- Traditional lists focus on known vulnerabilities, leaving organizations susceptible to "known unknowns” – weaknesses with potential for exploitation but not yet identified.
That said, AI and machine learning hold the promise of revolutionizing security by default by closing these gaps:
- Machine learning algorithms can analyze vast amounts of security data to identify patterns and predict potential vulnerabilities, including those not yet on traditional lists.
- By analyzing exploit trends and software behavior, machine learning can identify the “known unknown” weaknesses with a higher likelihood of being exploited, even if they are still undocumented.
Adding AI into SDLC
AI and machine learning can also transfigure how security by default principles are incorporated into software development cycles:
- Automated vulnerability detection: AI tools can continuously scan code for vulnerabilities, both known and unknown, so they can be addressed early in an SDLC.
- Proactive security modeling: By analyzing attack patterns, AI can predict threats; this allows proactive security modeling to build software with baked-in defenses against those threats.
- Intelligent developer assistance: AI can analyze code and make real-time suggestions about secure coding practices to development teams.
Security by default via self-healing software
One goal for developers concerned with security by default is the creation of software with the innate ability to proactively self-identify vulnerabilities and rectify them. This concept is inspired by genetic algorithms used in manufacturing let systems self-optimize and improve themselves over time.
This will transform “security by default” from a static concept to a dynamic, self-monitored, self-healing capability that’s built into enterprise software. That will give it the ability to rectify its own vulnerabilities, thwart threats and even report new attacks to its developers.
Related: Practical Demo: Protect all endpoints with secure UEM countermeasures
Steps in the right direction
Not too long ago, I wrote about how there needed to be a “private/public partnership in which industry and government come together to solve the digital security problem.” The creation of Secure by Design principles and the efforts of CISA and industry leaders to advance them is a big step forward in mounting just such an urgently needed collaborative defense against cyber threats.
It’s still up to individual software providers and developers to put these measures into action, though. Following security by default practices plays a vital part in developing and delivering more secure software and gaining the high ground in the cybersecurity battle.