Secure-by-Design Foundations

A great team requires all players to work together. Secure-by-Design is a whole-of-organisation responsibility, requiring action and buy-in beyond operational or technical teams. Ensuring each level within an organisation understands their role in improving secure-by-design maturity will contribute to the delivery and selection of secure products. Following secure-by-design practices can significantly improve the cyber security risk profile of technology manufacturers and their customers. Technology manufacturers and customers may look to champion secure-by-design through appointing dedicated secure-by-design senior stakeholders to provide organisational leadership and by tying secure-by-design to commercial outcomes.

The holistic secure organisation Foundation aims to mitigate and reduce the impact of the following key risks: malicious insider; supply chain compromise; loss of customer confidence; financial and relational damage; system downtime and service disruptions; and social engineering. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Secure-by-Design appointed senior stakeholders
• Senior management cyber risk ownership
• Cyber security posture linked to commercial success
• Organisational cyber security culture
• General cyber security awareness
• Role specific cyber security awareness
• Awareness, reporting, and transparency
• Disaster recovery and business continuity
• Continuous improvement

A strong foundation prevents a structure’s collapse. Shift left security is about following an early and continued security first approach and mindset when developing digital products and services. This means ensuring security risks, threats and mitigations are all considered as part of the planning and design stages of development. These considerations should not only be applied to new products, but also for changes and updates to existing ones. Technology manufacturers should consider early investment in shift left security practices to achieve secure products and to build consumer confidence.

The shift left security Foundation aims to mitigate and reduce the impact of the following key risks: poor vulnerability identification, insecure code, costly security additions, increased attack surface, system design flaws, and emerging threats. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Team structure and responsibilities
• Security Architecture
• Threat modelling (additional customer threat modelling)
• Security controls and mitigations
• Understanding your customers
• System and data boundaries
• Data and data flows
• Product hosting environments
• Product usability
• Security patterns

Poor quality is costly, high quality is enduring. Secure-by-Design is about starting with quality design and considered architecture. This will lead to creating code that is secure, repeatable, and maintainable, while ensuring security does not become an afterthought. Code must be protected from unauthorised changes from build through to release. Technology manufactures should consider their unique development environments and the actions they can take to prevent vulnerabilities from being created during development or updates.

The secure code – repeatable, maintainable, with built-in security Foundation aims to mitigate and reduce the impact of the following key risks: malicious code and input injection, supply chain attacks, poor code quality, insecure authentication and authorisation, security misconfigurations, absence of input validation and sanitisation, and poor error handling. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Change management
• Secure development environments
• Critical and security component identification
• Developer security reviews
• Source management solution
• Secure coding practices
• Memory safe language use
• Language security awareness
• Audit and security logging
• Secure-by-Default
• Authentication and authorisation
• Cryptography
• Input/output sanitisation and validation
• Error handling
• Third-party components
• Software Bill of Materials (SBOM)
• Product artefacts
• Architectural Blueprints
• Security patterns

Prevention is better than cure. Secure-by-Design aims for early detection of vulnerabilities and weaknesses. This will reduce the time, effort and resources needed to resolve issues. To improve the chances of finding vulnerabilities and weaknesses early, there are key testing strategies that technology manufacturers should employ:

• In-house: Testing performed by both the development team and a dedicated software testing team.
• Automated: Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST), along with unit and integration tests to cover most of the critical code and security components.
• External: Independent code review and testing and focused security testing (penetration testing).
• Field testing: Simulated real world testing, focusing on integrations and customer scenarios.

The testing Foundation aims to mitigate and reduce the impact of the following key risks: regression defects, late-stage weaknesses, poor user experience, performance issues, functional defects, security defects, and compatibility issues. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Documenting critical code and security components
• Repeatable testing plans
• Automated testing
• Code coverage
• Penetration testing
• Field testing

The best offence is a good defence. Secure-by-Design is about providing strong defence in all three data states (at-rest, in-transit, and in-use). Data flows, storage locations and formats need to be well understood and documented to ensure protection is applied to all data. Both code and hosting environments need specific considerations to achieve data confidentially, integrity and availability security goals. Organisations can protect their own and their consumers’ privacy and information by ensuring data is protected.

The data security Foundation aims to mitigate and reduce the impact of the following key risks: data compromise (confidentiality, integrity, and availability), unauthorised access, absence of data governance, data recovery, malicious insider, and absence of regulatory compliance. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Principles of least privilege
• Confidentiality, Integrity, Availability of data
• Cryptographic Keys and Secrets management
• Strong encryption (at-rest, in-transit, in-use) and cryptographic hashing algorithms
• Authentication and authorisation
• Immutable and secure logging
• Regular backups logically and physically separated

Assurance is the confidence manufactures can portray in a product. Secure-by-Design builds assurance through several initiatives including verifiable builds, attestations against industry frameworks, monitoring, and incident response handling. Assurance is not a one-off, but a continual process that is enacted throughout the product lifecycle. Assurance is supported by a continued commitment to transparency through organisations reporting how they are enhancing their security by following secure-by-design practices.

The continuous assurance Foundation aims to mitigate and reduce the impact of the following key risks: loss of customer confidence, increased time to identify incidents and vulnerabilities, increased time to recover from compromise, loss of reputation, unauthorised access, and social engineering attacks. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Immutable logging
• Normal vs abnormal system behaviour monitoring (via SIEM solutions)
• Incident response; Isolation, recovery, and remediation (via SOAR solutions)
• Reporting and CVE creation
• Defence in depth
• Principle of least privilege
• Key and Secret management
• Authentication and authorisation
• Software Bill of Materials (SBOM)
• Attestations (ISM, SSDF, CSF, CPG)

Customers wouldn’t expect to fly in a plane that had not been serviced. Secure-by-Design ensures digital products and services are serviced and supported throughout their lifecycle. Products become more vulnerable over time and need to be serviced and maintained to ensure optimal security. Technology manufacturers can use the following techniques:

• Schedule maintenance at regular intervals.
• Continuous risk assessments against any change to the system, landscape, or threat environment.
• Changes are made with security considerations.
• Provision support services that assist delivery of secure digital products and services.

The maintenance and support Foundation aims to mitigate and reduce the impact of the following key risks: loss of customer confidence, zero-day and n-day exploits, and consuming vulnerable third-party components. This Foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Regular reviews
• Situational threat awareness
• Patches and updates
• Security before backwards compatibility
• Change management
• SBOM monitoring

Dispose securely or protect indefinitely. Secure-by-Design security doesn’t end when a system or feature is decommissioned or becomes legacy. Exploitation of legacy systems can be used to perform lateral movement, data exfiltration and to steal valid credentials. To ensure the secure deprecation of a product, organisations should prioritise for data to be securely archived or destroyed, accounts and access to be removed or updated, and for systems and software to be removed.

The maintenance and support Foundation aims to mitigate and reduce the impact of the following key risks: privilege accumulation, unsecured credentials, vulnerable legacy products, and data compromise (confidentiality, integrity, and availability). This foundation may mitigate or reduce the impact of additional risks that are unique to each organisation.

Key focus areas

• Secure archiving
• Data destruction
• Account and permission reviews
• Deprecated system and software removal