The agency issued an RFI seeking industry input on costs, how to incorporate security into higher education and how to reduce recurring security vulnerabilities.
CISA has actively pushed the industry to embrace secure by design principles as part of a larger effort by the Biden administration to make security a core feature of software development.
Malicious criminal hackers and nation-state adversaries have, in many cases, launched attacks by exploiting critical vulnerabilities in software that were left exposed by customers who either continue to use old versions or failed to apply emergency security patches.
For example, major companies such as Boeing and Comcast’s Xfinity broadband entertainment business were hit by malicious hackers who exploited a critical buffer overflow vulnerability in Citrix Netscaler dubbed CitrixBleed.
A source familiar with the secure by design plan said software manufacturers have expressed support for the effort, but CISA still needs more formal input.
Earlier this month, IT-ISAC released a white paper calling for cloud and critical SaaS providers to embrace secure by default principles, which has been part of the larger secure by design emphasis by CISA.
“Secure by default is a journey lots of software developers are on,” said James Dolph, CISO at Guidewire Software and co-author of the IT-ISAC report. “Our hope with the paper is we can more clearly define the goal so engineers, user-experience professionals and security teams can work towards better outcomes for their customers and other users.”
Among the suggested changes, cloud companies could be required to institute multifactor authentication by default, automatically rotate secrets or place time restrictions on elevated-access privileges.
Responses to the RFI are due by Feb. 20.
