Why adopt Secure by Design?
Products and services house critical data that, when compromised, can have severe economic, reputational and privacy impacts on individuals and organisations. Vulnerabilities – that could have easily been prevented – are increasingly resulting in everyday Australians being impacted by cybercrime and data breaches. Now more than ever, it is crucial for technology manufacturers and consumers to ensure the security of their products and services by adopting Secure by Design.
What is Secure by Design?
Secure by Design is a proactive, security-focused approach to the design, development and deployment of products and services that necessitates a holistic organisational approach to cybersecurity. Secure by Design requires cyberthreats to be considered from the outset to enable mitigations through thoughtful design, architecture and security measures. Its core value is to protect consumer privacy and data through designing, developing and delivering products and services with fewer vulnerabilities, and then ensuring security is maintained throughout their life cycle.
What can manufacturers and consumers expect?
Secure by Design emphasises the need for technology manufacturers to assume utmost responsibility for the security of their products and services, ensuring that security is the focal point of their entire life cycle and that they are released with as few vulnerabilities as possible. While consumers should be able to expect and demand products and services that are secure and free from vulnerabilities, they also have unique and important roles under the Secure by Design approach. Importantly, consumers must proactively educate themselves, understanding the risks associated with acquiring and operating products and services, and the mitigations needed to lessen their likelihood and impact.
What is Secure by Default?
Secure by Default refers to products and services that are secure to use ‘out of the box’, with little to no additional setup or configuration required to achieve an adequate security baseline. Importantly, all built-in security measures, such as multi-factor authentication, auditing and event logging, are included in the base product at no additional cost to the consumer. Users are made acutely aware of the known risks that may be realised if any deviations from default configurations are made, as well as the increase in likelihood or impact of compromise unless additional mitigations are implemented.
Feedback
Encouraging and enabling manufacturers and consumers to uplift their security via a Secure by Design approach is a core priority for Australian Signals Directorate (ASD)’s Australian Cyber Security Centre (ACSC). Secure by Design is an ongoing work stream empowered through engagement, the release of enabling tools and guidance, and the uplift of better-practice security standards across the Australian digital landscape.
If you would like to share your ideas or provide feedback, please get in touch.
Feature publications
Shifting the Balance of Cybersecurity Risk
Principles and approaches for Security by Design and Secure by Default.
Choosing secure and verifiable technologies: Executive guidance
This guide supports senior leaders to enable their organisations to understand their cyberthreat environment and make better-informed assessments and decisions to procure secure technologies.
Choosing secure and verifiable technologies
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and international partners have provided recommendations in this guide as a roadmap for choosing secure and verifiable technologies.
Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers
It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements.
The Case for Memory Safety Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously
This guidance provides manufacturers with steps to create memory safe roadmaps and implement changes to eliminate memory safety vulnerabilities from their products.
Exploring Memory Safety in Critical Open Source Projects
This publication follows the December 2023 release of The Case for Memory Safe Roadmaps, which recommended software manufacturers create memory safe roadmaps, including plans to address memory safety in external dependencies, which commonly include open source software (OSS). This publication provides a starting point for these roadmaps by investigating the scale of memory safety risk in selected OSS.
IoT Secure by Design guidance for manufacturers
This guidance has been produced for manufacturers in order to help them implement thirteen Secure by Design principles.
Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products
This guide describes how operational technology owners and operators should integrate security into their procurement process when purchasing industrial automation and control systems, as well as other OT products.