Digital products and services are increasingly housing critical data that if compromised can have negative economic, reputational and privacy impacts on individuals and organisations. Australians are increasingly experiencing the lived impacts of cybercrime and data breaches, from vulnerabilities in digital products and services. Now more than ever, it is crucial for technology manufacturers to ensure the security of their digital products and services through a security-first approach. While consumers should continue to take care when using or purchasing any digital products and services, the burden of security should not only fall on consumers. Consumers should be able to expect products that are secure and free from vulnerabilities. However, care should still be taken.
ASD’s ACSC is looking to promote Secure-by-Design through the development and launch of information and artefacts. This will be a continuing workstream. We welcome feedback on this Secure-by-Design webpage, its resources and the ASD’s ACSC's Secure-by-Design Foundations by 28 February 2024. Additionally, we are seeking further engagement from all interested parties on artefacts that can be developed to help promote, enhance and secure digital products and services through a Secure-by-Design approach. ASD’s ACSC will look to host targeted consultations as this work progresses.
What is Secure-by-Design?
Secure-by-Design is a proactive, security-focused approach to the development of digital products and services that necessitates a strategic alignment of an organisation’s cyber security goals. Secure-by-Design requires cyber threats to be considered from the outset to enable mitigations through thoughtful design, architecture and security measures. Its core value is to protect consumer privacy and data through designing, building, and delivering products with fewer vulnerabilities.
What is Secure-by-Default?
Secure-by-Default is the process of ensuring products are secure to use ‘out of the box’, with little to no additional setup or configuration required. All built-in security measures are included at no additional cost to the consumer, such as multi-factor authentication (MFA), and audit and security logging. Consumers and users are made acutely aware of the known risks that may be realised if any deviations from the default configuration is made and the increase in likelihood or impact of compromise unless additional mitigations are implemented.
The Secure-by-Design Foundations (the Foundations) are a first step in ASD’s ACSC's approach to assist technology manufacturers and consumers across industry and government to adopt Secure-by-Design. The Foundations are designed to foster discussion within technology manufacturers on how to best approach Secure-by-Design, and also contain relevant information and actions for technology customers.
Shifting the Balance of Cybersecurity Risk
Principles and Approaches for Security-by-Design and Default
IoT Secure-by-Design Guidance for Manufacturers
This guidance has been produced for manufacturers in order to help them implement thirteen secure-by-design principles.
The Case for Memory Safety Roadmaps
This guidance provides manufacturers with steps to create memory safe roadmaps and implement changes to eliminate memory safety vulnerabilities from their products