CISA Pressures Tech Vendors To Ship Secure Software ‘out Of The Box’

Programmer looking at code on a screen

Image Credit: Przemyslaw Klos / EyeEm via Getty

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, the National Security Agency (NSA) and cybersecurity authorities across Australia, Canada, United Kingdom, Germany, Netherlands and New Zealand released new guidance urging software manufacturers to take the steps necessary to ship products that are secure-by-design, “out of the box.” 

The guidance, a report named “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default,” aims to “encourage every technology manufacturer to build their products in a way that prevents customers from having to constantly perform monitoring, routine updates, and damage control on their systems.” 

It also outlines the steps organizations can take to implement secure-by-design and secure-by-default approaches, which are essential for minimizing vulnerabilities and bugs before their release to the market, ensuring software remains resilient to exploitation from threat actors.  

“Building security into the design process is not only good practice, it’s also very effective in mitigating flaws in software before they reach the consumer. The challenge, however, is for organizations to adopt these practices without affecting the business, as this process takes time and requires resources that can impact the bottom line,” said Ray Kelly, fellow at Synopsys Software Integrity Group.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

Register Now

The report comes less than a year after the EU introduced the Cyber Resilience Act, which set out to codify a cybersecurity framework for hardware and software producers to improve the security of products during the design and development phase. 

Both the Cyber Resilience Act and CISA’s new guidance highlights there is an industry-wide shift away from placing the burden of security on end-user organizations and customers toward making software vendors more transparent and accountable for the level of bugs and vulnerabilities present in released products. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.