Unsafe At Any Speed: CISA's Plan to Foster Tech Ecosystem Security

CISA's plan to secure tech ecosystems by design, eliminating vulnerabilities and promoting secure coding practices, hardened guidelines, and zero-trust security architectures to reduce costs and improve overall security.

Key takeaways
  • CISA’s goal is to shift the balance towards a more secure ecosystem by design, rather than after-the-fact patches.
  • Securing software by design requires eliminating vulnerabilities at the source, rather than relying on patches or hardening guides.
  • The Federal Government is working on establishing a Secure by Default program, aiming to eliminate default passwords, insecure configurations, and other vulnerabilities.
  • CISA is promoting the concept of “Secure by Design” to priorititize security in the design phase of software development.
  • The agency recognizes that adding security after the fact is insufficient, indicating a need for security awareness and knowledge at all levels of the organization.
  • CISA is working on open-sourcing code, contributing to the community, and collaborating with other agencies to drive security innovation.
  • The agency is also promoting the use of resources such as the National Cybersecurity Strategy, the Cyber Instant Reporting system, and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
  • Secure by Design prioritizes the use of memory-safe programming languages and secure coding practices to prevent common vulnerabilities.
  • The initiative aims to reduce the costs of security patches and incidents by eliminating vulnerabilities at the source.
  • CISA is working with the industry to promote the adoption of secure practices, including the use of hardened guidelines and secure protocols.
  • The agency is also promoting the concept of zero-trust security architectures, which assumes that all systems and data are compromised and requires strict access controls.
  • CISA is investing in research and development to improve its understanding of the root causes of vulnerabilities and to identify effective mitigation strategies.
  • The agency is also working with the private sector to improve the security of open-source software and to encourage the adoption of secure coding practices.
  • The goal is to make security a top priority, rather than an afterthought, and to create a culture of security that permeates all aspects of software development.
  • CISA is working with the industry to develop a set of best practices for secure software development, including the use of secure coding guidelines and secure testing procedures.