The Australian Cyber Security Centre (ACSC), Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ) have joined an international push urging technology manufacturers to take urgent steps necessary to ship products that are “secure-by-design and default.”

A joint document was developed by the agencies in partnership with U.S. Cybersecurity and Infrastructure Security Agency (CISA), the US National Security Agency (NSA), the FBI, and the cybersecurity authorities of Canada, the UK, Germany and the Netherlands.

It states, “The authoring agencies strongly encourage every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. Manufacturers are encouraged to take ownership of improving the security outcomes of their customers.

“Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating Secure-by-Design practices will we break the vicious cycle of creating and applying fixes.”

Cyber security director of the US National Security Agency, Rob Joyce, called insecure technology products a risk to national security as well as to individual users. 

“If manufacturers consistently prioritise security during design and development, we can reduce the number of malicious cyber intrusions we see,” he added.

“The international coalition partnering on this report speaks to the importance of this issue.”

The authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers.

“Products that are Secure-by-Design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts. Secure-by-Default products are those that are secure to use “out of the box” with little to no configuration changes necessary and security features available without additional cost. Together, these two principles move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.”

The Guide provides a list of software development best practices as well as specific recommendations such as eliminating default passwords.

“Organizational decisions to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the Board of Directors,” is another recommendation.

The partners also call for “radical transparency and accountability”: not only should vendors take part in vulnerability disclosure programs, “advisories and associated common vulnerability and exposure (CVE) records” should be “complete and accurate.”

View the Guide HERE. The document authors have requested feedback on the guide to be sent to: SecureByDesign@cisa.dhs.gov.