www.csoonline.com
Open in
urlscan Pro
151.101.66.165
Public Scan
Submitted URL: https://em.mend.io/NDM5LURGRi03MDQAAAGLUoomecMe79V7hpuNm63phg-MiWk0jf7mQmiH1H_RDjJhyCYBj75BX00wOQVL11vBeYRSLtw=
Effective URL: https://www.csoonline.com/article/3693353/7-countries-unite-to-push-for-secure-by-design-development.html?mkt_tok=NDM5LURG...
Submission: On April 24 via api from US — Scanned from DE
Effective URL: https://www.csoonline.com/article/3693353/7-countries-unite-to-push-for-secure-by-design-development.html?mkt_tok=NDM5LURG...
Submission: On April 24 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany × search More from the Foundry Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * European Privacy Settings | * Member Preferences | * Advertising | * Foundry Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * Five Eye nations release new guidance on smart city cybersecurity * RELATED STORIES * White House releases an ambitious National Cybersecurity Strategy * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * New CISO appointments, February 2023 * OpenSSF releases SLSA v1.0, adds software supply chain-specific tracks * Home * Security * Critical Infrastructure News 7 COUNTRIES UNITE TO PUSH FOR SECURE-BY-DESIGN DEVELOPMENT AGENCIES FROM ACROSS SEVEN COUNTRIES COME TOGETHER TO CREATE A GUIDANCE THAT AIMS TO REMOVE THE BURDEN OF SECURITY FROM THE TECHNOLOGY BUYER. * * * * * * * By Samira Sarraf Regional Editor for Australia and New Zealand, CSO | 17 April 2023 10:53 GaudiLab / Shutterstock Ten agencies from across seven countries have joined forces to create a guide for software developer organizations to ensure their products are both secure by design and by default. The joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, comes after several recently identified critical vulnerabilities in vendor software. In April, The United States Cybersecurity and Infrastructure Security Agency (CISA) published seven advisories covering vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software from multiple vendors, including critical vulnerabilities. A few weeks prior, the agency had also issued advisories on 49 vulnerabilities in eight ICS from providers including Delta Electronics, Hitachi, Keysight, Rockwell, Siemens, and VISAM. The collaborating agencies are: * The Australian Cyber Security Centre (ACSC) * The Canadian Centre for Cyber Security (CCCS) * Germany’s Federal Office for Information Security (BSI) * Netherlands’ National Cyber Security Centre (NCSC-NL) * New Zealand’s Computer Emergency Response Team New Zealand (CERT NZ) and National Cyber Security Centre (NCSC-NZ) * The United Kingdom’s National Cyber Security Centre (NCSC-UK) * The US’s CISA, Federal Bureau of Investigation (FBI), and National Security Agency (NSA). SECURE BY DESIGN VERSUS SECURE BY DEFAULT The guidance defines products secure by design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-design products start with that goal before development starts. Products secure by default are those that are secure to use out of the box with little to no configuration changes necessary and security features available without additional cost. These approaches, the agencies believe, remove much of the security burden away from the customer and reduces chances of them falling victims to security incidents. THE TECHNOLOGY DEVELOPER’S ROLE Every technology manufacturer should build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions. “Historically, technology manufacturers have relied on fixing vulnerabilities found after the customers have deployed the products, requiring the customers to apply those patches at their own expense. Only by incorporating secure-by-design practices will we break the vicious cycle of creating and applying fixes,” stated the guidance. The agencies urged technology developers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers. One way to achieve that, the document suggests, is for systems’ developers migrate to programming languages that eliminate widespread vulnerability rather than focusing on product features that seem appealing but increase the risk of an attack. “Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer,” UK National Cyber Security Centre CEO Lindy Cameron said in a statement. We call on technology manufacturers to familiarise themselves with the advice in this guide and implement secure-by design and by-default practices into their products to help ensure our society is secure and resilient online.” BUSINESSES MUST MAKE TECHNOLOGY VENDORS ACCOUNTABLE FOR SECURITY OF PRODUCTS Part of the guidance includes recommendations for CISOs and technology buyers and how to help protect their businesses. The guidance recommends organizations hold their technology suppliers accountable for the security of their products. This should be done by prioritizing the purchase of what the guidance previously described as secure-by-design and secure-by-default products. It suggests this be done by establishing policies requiring that IT departments assess the security of manufacturer software before it is purchased, as well as empowering IT departments to push back if necessary. “IT departments should be empowered to develop purchasing criteria that emphasize the importance of secure-by-design and secure-by-default practices.” The guidance goes further and recommends IT should have the support of executive management when enforcing these criteria. “Organizational decisions to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the board of directors.” The security posture of the organization should be seen as critical, including enterprise network, identity and access management and security and response operations. Organizations should reinforce the importance of security of products both formally via contracts with vendors and informally via building a long-term partnership where the buyers know how the vendor works to ensure security of products. Keep a relationship with peers to be informed on best products and services with secure design but also to create a united front giving feedback to technology vendors. When it comes to cloud security technology buyers must understand both the providers’ responsibility and the organizations’. “Insecure technology products can pose risks to individual users and our national security,” NSA cybersecurity director Rob Joyce said in a statement. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see." The agencies seek feedback by email on the guidance from interested parties on key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Critical Infrastructure * Internet of Things * Application Security * Devsecops With years of experience covering technology and business across the IT channel, Samira Sarraf managed the enterprise IT content at and wrote for the CIO.com, CSO Online, and Computerworld editions in Australia and New Zealand. She is now an editor with CSO Online global. Follow * * * * Copyright © 2023 IDG Communications, Inc. 7 hot cybersecurity trends (and 2 going cold) CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * European Privacy Settings * Member Preferences * Advertising * Foundry Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2023 IDG Communications, Inc. Explore the Foundry Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World CSO WANTS TO SHOW YOU NOTIFICATIONS -------------------------------------------------------------------------------- YOU CAN TURN OFF NOTIFICATIONS AT ANY TIME FROM YOUR BROWSER Accept Do not accept POWERED BY SUBSCRIBERS