Secure by Design
It's time to build cybersecurity into the design and manufacture of technology products.
As America’s Cyber Defense Agency, CISA is charged with defending our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. But, as we introduce more unsafe technology to our lives, this has become increasingly difficult.
As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day.
Every technology provider must take ownership at the executive level to ensure their products are secure by design.
What it Means to Be Secure by Design
Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption. Out-of-the-box, products should be secure with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost.
Unsafe At Any Speed: CISA's Plan to Foster Tech Ecosystem Security
New to the concept of Secure by Design? CISA Senior Technical Advisors Bob Lord and Jack Cable break down what it means for technology products to be secure by design.
Product Security Bad Practices Catalogue Open for Public Comment
CISA is seeking public comment to inform the development of Product Security Bad Practices, which enumerate exceptionally risky software development activities. Please visit the Federal Register to submit comment by Dec. 16, 2024.
Take the Secure by Design Pledge
Join CISA and over 200 software manufacturers by committing to take specific, measurable actions in line with secure by design principles.
Learn How to Implement Secure by Design Principles
CISA's Secure by Design initial joint guidance describes what software manufacturers can do to make their products safer, and ways customers can evaluate those products.
Resources
Exploring Memory Safety in Critical Open Source Projects
This guide builds on The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS.
The Case for Memory Safe Roadmaps
The guidance offers manufacturers a framework for developing and sharing memory-safe roadmaps, demonstrating their commitment to security, transparency, and a top-down approach to product security, in line with the principles of Secure by Design.
Open Source Software Security
Open source software is part of the foundation of the digital infrastructure we all rely upon.
Find out here how CISA is working to help secure it.
Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem
This guide is concise and usable by any customer of software during procurement discussions with third party resellers or service providers.
Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers
This guidance aids software manufacturers in implementing a safe software deployment process with robust testing and measurement components.