CISA's Secure by Design Principles, Pledge, and Progress

As we venture into the third month of 2025, it's disconcerting to see several hundred Critical Vulnerabilities in Exploitation (CVEs) already reported for Cross-Site Scripting (XSS) and SQL injection. It's a stark reminder that these vulnerabilities have been known about since the late 1990s, while common defenses against them were first identified in the early 2000s. In this episode of ASW #321, Jack Cable delves into CISA's Secure by Design principles and their efforts to refocus businesses on addressing vulnerability classes and prioritizing software quality – with security being one of those critical dimensions of quality.

What are CISA's Secure by Design Principles?

CISA's (Cybersecurity and Infrastructure Security Agency) Secure by Design initiative is an effort to embed cybersecurity principles into the design phase of products and systems. This approach aims to prevent vulnerabilities from being introduced in the first place, rather than relying on costly fixes later down the line.

The Benefits of a Secure-by-Design Approach

By incorporating security by design, businesses can reduce their vulnerability footprint, decrease the likelihood of major breaches, and improve overall software quality. CISA's principles focus on three key areas: threat modeling, secure coding practices, and supply chain risk management.

Threat Modeling: Understanding the Adversary

Threat modeling is a crucial aspect of Secure by Design. It involves understanding the adversary's motivations, tactics, techniques, and procedures (TTPs) to identify potential vulnerabilities in a system or product. By incorporating threat modeling into the design phase, developers can create systems that are more resilient to attacks.

Secure Coding Practices: Writing Secure Code

Secure coding practices are essential for preventing common web application vulnerabilities like XSS and SQL injection. CISA's principles emphasize the importance of secure coding best practices, such as input validation, error handling, and secure communication protocols.

Supply Chain Risk Management: Ensuring Integrity

Supply chain risk management is a critical aspect of Secure by Design. It involves identifying and mitigating risks associated with third-party vendors and suppliers. By ensuring the integrity of the supply chain, businesses can reduce their exposure to cyber threats.

CISA's Pledge: A Commitment to Cybersecurity

Alongside its Secure by Design principles, CISA has also made a pledge to prioritize cybersecurity. This pledge is built on three pillars:

Product Security

Product security involves ensuring that products are designed with security in mind from the outset. This includes conducting thorough risk assessments and implementing robust security controls.

Supply Chain Risk Management

Supply chain risk management is critical for ensuring the integrity of products and systems. CISA's pledge emphasizes the importance of identifying and mitigating risks associated with third-party vendors and suppliers.

Technical Assistance and Support

CISA's pledge also includes a commitment to providing technical assistance and support to businesses. This includes resources for training, vulnerability management, and incident response.

Progress and Future Directions

While CISA's Secure by Design initiative has made significant progress in recent years, there is still much work to be done. As we move forward, it's essential that businesses prioritize cybersecurity and embed security principles into their design phase. By doing so, they can reduce their vulnerability footprint and improve overall software quality.

Additional Resources

For more information on CISA's Secure by Design principles, pledge, and progress, visit the following resources:

• CISA's Secure by Design initiative
• CISA's Pledge to Cybersecurity
• Common product security bad practices
• Security by Design: A review of the literature

Skype Hangs Up for Good, Over a Million Cheap Android Devices May be Backdoored, Parallels between Jailbreak Research and XSS, Impersonating AirTags, Network Reconnaissance via a Memory Disclosure Vuln in the GFW, and more!

In this episode of ASW #321, we also discuss other security-related topics, including:

• Skype hangs up for good
• Over a million cheap Android devices may be backdoored
• Parallels between jailbreak research and XSS
• Impersonating AirTags
• Network reconnaissance via a memory disclosure vuln in the GFW

Visit https://www.securityweekly.com/asw for all the latest episodes!