An organization’s approach to cybersecurity must constantly evolve as attack surfaces increase and it learns more about potential threats. Understanding that threats can enter from any point in the software supply chain, a Secure by Design approach integrates security into the design, coding, testing, and deployment phases of software development. As the standard for U.S. federal agencies — and any organization that touches their software — Secure by Design has become a go-to benchmark for building security into the software development lifecycle.
Over time, Secure by Design has branched off into related concepts such as Secure by Default and Secure by Demand, which emphasize different ways of approaching Secure by Design:
- Secure by Default focuses on ensuring that all software products are secure out of the box.
- Secure by Demand extends Secure by Design principles to the procurement process.
Here’s a closer look at Secure by Design and these related approaches, including a step-by-step guide to how organizations can adapt their strategies to prevent exploitable vulnerabilities and software supply chain attacks.
What is Secure by Design?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced its Secure by Design Initiative in April 2023, with a focus on three key software security principles:
- Take ownership of customer security outcomes
- Embrace radical transparency and accountability
- Build organizational structure and leadership to achieve these goals
Secure by Design integrates security principles and protocols into every stage of the software development process. This means that security measures are built into the design, coding, testing, and deployment phases of software development rather than being added on as an afterthought.
The goal of Secure by Design is to create a secure foundation for software from the very beginning, reducing vulnerabilities and potential attack surfaces.
What is Secure by Default?
Secure by Default is an offshoot of Secure by Design that focuses on ensuring that any software or hardware is set to its most secure configuration without requiring reconfiguration by the user. Products that are Secure by Default automatically enable the most important security controls needed to protect enterprises from unauthorized access by bad actors — meaning users do not have to go through additional steps to ensure that a product is protected against prevalent exploitation techniques.
Secure by Default tactics include eliminating default passwords and mandating multi-factor authentication and single sign-on to allow only authorized users access to resources. This approach also includes automatic updates and patches, as well as secure configurations for all user accounts and devices.
What is Secure by Demand?
Secure by Demand combines Secure by Design principles with budgeting and procurement contracts in order to drive Secure by Design as a mandate for vendors as well as contractors. CISA’s Secure by Demand Guide provides a set of questions and resources that software purchasers, buyers, and procurers can use to better understand a potential vendor’s approach to cybersecurity. This includes questions about the vendor's authentication practices, software supply chain security, and vulnerability disclosure and reporting.
By requiring vendors to adhere to Secure by Design principles and protocols in their products and services, organizations can help prevent potential vulnerabilities from entering their software supply chain. The Secure by Demand approach also further incentivizes vendors to continuously improve their own cybersecurity posture.
Building a Secure by Design cybersecurity strategy
As organizations prioritize becoming Secure by Design, steps include utilizing effective DevSecOps practices, maintaining a software bill of materials (SBOM), and incorporating AI to defend against threats entering from any point in the software development lifecycle.
Adopting DevSecOps practices
One of the first steps to support a Secure by Design posture is a secure software development process: developing, building, securing, and deploying software using a comprehensive DevSecOps approach.
Today, many developers utilize complex toolsets to create new programs. A recent survey by GitLab found that 62% of respondents use 6 or more tools for development, and 20% use 11 or more — an inefficiency that increases risk by introducing potential security vulnerabilities.
Developers should be able to access all the tools necessary for DevSecOps workflows in a single, easy-to-use interface. With an end-to-end solution, like a DevSecOps platform, organizations can implement a Secure by Design approach without increasing the burden on developers.
Creating and maintaining SBOMs
Embracing transparency is another significant part of being Secure by Design. Organizations must understand what’s in their software, especially when it may include components from multiple sources.
SBOMs are essential tools for achieving this transparency. They offer detailed inventories of software components, including version, license, and dependency details, that enable greater awareness of potential vulnerabilities or malicious code.
Maintaining this inventory allows organizations to fully understand potential vulnerabilities and risks that could arise when elements are lifted from open source repositories and licensed third-party components. A DevSecOps platform can help automatically generate and update SBOMs, integrate them into existing workflows, and link them to associated vulnerabilities.
While many organizations are now using SBOMs, they must be dynamic, connected with security scanning tools, and continuously updated to be fully effective. When integrated with scanning tools and dashboards, SBOMs can provide a way to identify the risks associated with an application. Even when not required, SBOMs can support compliance with security regulations by validating that code is secure.
Using AI in software development
As organizations explore ways to use AI, software development workflows provide a valuable entry point to the technology, which has the potential to accelerate development processes and enhance security.
Organizations across all industries are already beginning to explore these applications: 39% of respondents in GitLab’s survey said they are already using AI in the software development lifecycle.
Applying AI across the software development lifecycle can help organizations avoid AI-driven silos and backlogs within development workflows. AI can perform key functions such as:
- Code explanation and legacy code refactoring into memory-safe languages
- Root cause analysis for DevSecOps pipelines, expediting solutions for complex problems during testing
- Vulnerability resolution to help reconcile known vulnerabilities, supporting more thorough remediation
As leaders integrate AI into their workflows, it is crucial to prioritize privacy and data security. An essential aspect of adopting a Secure by Design approach is to develop an AI strategy that safeguards sensitive data and protects intellectual property rights.
What’s next
Secure by Design may soon become the default approach to creating a more trustworthy software ecosystem. The U.S. government is currently working with software developers to create frameworks that legally incentivize the private sector to produce and release Secure by Design software, driving businesses to invest more in secure technology and practices.
With security built into software development from the start, transparency through effective SBOMs, and AI enhancing the development process, everyone involved in the software development lifecycle will be positioned for success.
Guide to Dynamic SBOMs: An integral element of modern software development
Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).
Read the guide