{"id":2955,"date":"2025-04-28T17:30:00","date_gmt":"2025-04-28T17:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2955"},"modified":"2025-04-28T17:30:00","modified_gmt":"2025-04-28T17:30:00","slug":"secure-by-design-is-likely-dead-at-cisa-will-the-private-sector-make-good-on-its-pledge","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2955","title":{"rendered":"Secure by Design is likely dead at CISA. Will the private sector make good on its pledge?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In April 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, and a host of international cybersecurity partners produced joint guidance<\/a> on achieving secure-by-design software as a follow-up to President Biden\u2019s May 2021 cybersecurity executive order<\/a>.<\/p>\n

In the last two years of the Biden administration, CISA made secure-by-design a cornerstone<\/a> of its software security efforts, aiming to decrease preventable flaws in software products before they reach the market. \u201cMore secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation,\u201d then-CISA Director Jen Easterly said when announcing that 68 leading software providers<\/a> had signed the agency\u2019s Secure by Design pledge.<\/p>\n

Despite CISA\u2019s initial hopes for its initiative, last week Lauren Zabierek<\/a> and Bob Lord<\/a>, two architects of the program, announced they are leaving CISA, amid ongoing DOGE-related staff cuts<\/a>, sparking speculation that Secure by Design is dead.<\/p>\n

Ahead of their talk on Secure by Design at RSAC 2025, CSO caught up with Jason Healey, senior research scholar at Columbia University\u2019s School of International and Public Affairs, and Chris Wysopal, co-founder and chief security evangelist at Veracode, to gauge their predictions for CISA\u2019s program.<\/p>\n

Both agreed that secure by design is a concept that predates CISA and will continue in the private sector even if CISA abandons its program. \u201cThere might not be a CISA office that\u2019s doing amazing work on this anymore, but the idea that we have to do it is still going to be around, and hopefully we\u2019ll continue some momentum even if we don\u2019t have Bob and Lauren to cheer it on,\u201d Healey told CSO.<\/p>\n

Metrics point to slowly improving software security<\/h2>\n

Healey and Wysopal are big believers in secure-by-design principles, but they concede that few measurements can directly prove that extra effort at the outset of software creation results in more secure products. \u201cHow can we, amongst the indicators and metrics we have, across threats or vulnerabilities, across consequences or impacts, understand if we\u2019re shifting\u201d toward more security software? Healey asked.<\/p>\n

For its annual State of Software Security report<\/a>, Veracode presents data from several top sources suggesting software security is improving slowly. Wysopal attributes this to \u201call the recent talk of Secure by Design.\u201d<\/p>\n

Wysopal told CSO, \u201cThere\u2019s been an acceleration of improvement within the last five years. Why would that be? One of the things that has been happening is this push for secure design, which sophisticated customers like the US government are saying we require our suppliers to do, or at least to attest to how well they did secure by design.\u201d<\/p>\n

As one measure of software security improvement, Wysopal pointed to the OWASP Top 10 list<\/a>, the industry\u2019s bible for identifying the most critical security risks to web applications. \u201cIn 2010, 23% of web applications had zero OWASP top 10 issues,\u201d he said. \u201cIn 2020, 10 years later, 32% of applications passed with no OWASP top 10 issues, so that\u2019s about a one percentage point per year improvement.\u201d<\/p>\n

CISA\u2019s Secure by Design effort is \u2018tiny\u2019<\/h2>\n

Not everyone believes in the concept of security by design. Jeff Williams, founder and CTO of Contrast Security and creator of the first OWASP Top 10 list in 2002, told CSO that, in his view, the very first secure-by-design manual was the vaunted August 1983 \u201cOrange Book<\/a>\u201d produced by the Department of Defense.<\/p>\n

\u201cThe Orange Book was extremely rigorous security,\u201d Williams said. \u201cIt embodied all the principles of secure by design. We had to build a formal specification of the design. Then we had to build the actual system. We had to show traceability between the design and the implementation. Then we had to show test results and strong sustainability from the tests to the implementation, and so on. It\u2019s 30 years later, and I don\u2019t believe it anymore.\u201d<\/p>\n

Williams has become disillusioned with secure by design because its goal is software assurance, whereas the cybersecurity industry has moved on to risk management<\/a>. \u201cMost organizations do risk management, and assurance is the opposite of risk management,\u201d he said.<\/p>\n

The industry has moved away from assurance because there is no visibility into the software products they use. \u201cThere\u2019s not a lot of transparency in cybersecurity. SBOMs [software bills of material<\/a>] are the tiniest baby step towards transparency, and they barely tell you anything.\u201d<\/p>\n

Given his skepticism, it is unsurprising that Williams is not a fan of CISA\u2019s program. \u201cCISA\u2019s Secure by Design program is a tiny effort. It is just a few people with a few documents that came out. It\u2019s not like a big agency is backing this and saying, \u2018This is how we\u2019re going to train the world to do security better and fundamentally change how security is done in the market.\u2019\u201d<\/p>\n

The path forward is unclear<\/h2>\n

Given the turmoil surrounding CISA\u2019s staffing levels, it\u2019s unclear how the agency will move forward with its Secure by Design efforts. In a statement, Bridget Bean, currently performing the duties of a CISA director until nominee Sean Plankey<\/a> can step into the role, shed little light on the question.<\/p>\n

\u201cCISA remains laser-focused on working across the public and private sectors to improve the nation\u2019s cybersecurity, a critical element of which is ensuring that technology companies do their part,\u201d Bean said. \u201cThis is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA\u2019s approaches to Secure by Design evolve, our commitment to the principles remains steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.\u201d<\/p>\n

Healey referred to the commonly cited aphorism that the government\u2019s policy tools are carrots, sticks, and sermons. \u201cA lot of Secure by Design was all in the sermons,\u201d he said. \u201cThat office was largely sermons. They were out there. They would be encouraging. They would be talking about it. It\u2019s that sermon section of it that will go away.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In April 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, and a host of international cybersecurity partners produced joint guidance on achieving secure-by-design software as a follow-up to President Biden\u2019s May 2021 cybersecurity executive order. In the last two years of the Biden administration, CISA made secure-by-design a cornerstone […]<\/p>\n","protected":false},"author":0,"featured_media":2956,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2955"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2955"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2955\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2956"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}