Australia is turning a corner on security-by-design
Secure-by-design has been on the best-practice radar for some years now.
As this Deloitte study shows, a constant stream of cyberattacks and breaches has made cybersecurity a key consideration in digital initiatives. As one executive said, “Everyone is … incorporating (cyber) in the design of the strategies, in the design of the budgets, and in the design of their solutions.”
But, it may also be too little, too late. Governments are losing patience with slow and often piecemeal progress. That’s driving them to challenge the status quo around software assurance, accountability and ownership. They want to see evidence of commitment and action, not just discussion and consideration.
In the past few months, it’s become clear that security won’t be left to free market forces and self-regulation for much longer. There’s growing regulatory attention around the issue of security accountability as a means of addressing the root cause of security issues that continue to form the basis of damaging malicious attacks and data breaches.
This direction is apparent in several recent moves in Australia.
The Australian Digital Health Agency (ADHA) last month brought in new mandatory security requirements that push the makers of clinical software that interconnects with My Health Record to strengthen the security of their products. The requirements lean on the mitigation strategies of the Essential Eight, a set of security controls that government organisations must achieve maturity in.
The intent is to “harden clinical information systems from cyber security attacks, uplift information security and provide better protection for consumer information.” Vendors have to “submit extensive evidence to demonstrate conformance to each requirement” and submit to observation from an agency team.
Clearly, health and medical data needs protecting, but it is not the only industry that is dealing with sensitive or valuable information.
More broadly, Australia is a signatory to new secure-by-design and secure-by-default principles drafted by the US Cybersecurity and Infrastructure Agency (CISA) last month. The Australian Cyber Security Centre described the intent of this effort in an explainer:
“Products that are secure by design are those where the security of the customers is a core business goal, not just a technical feature. Secure-by-design products start with that goal before development starts. Secure-by-default products are those that are secure to use “out of the box” with little to no configuration changes necessary and security features available without additional cost.
“Together, these two principles move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.”
The global nature of this effort is particularly important. To stand a chance of thwarting threat actors in their tracks, a global push to rewrite the story on security culture is required.
Security accountability is a good place to start this because, in the simplest terms, vendors should be held accountable for insecure software. I say this as a software vendor myself. It makes sense that the buck stops with us when it comes to security. It’s our build pipeline, our processes and our quality control, and if we slip up, then it’s our responsibility to remediate.
Shared and specific accountability
Understandably, however, the push around security accountability is resurfacing old divisions. Accountability has been a ‘hot potato’ for decades. Executives and teams tend to disagree on where the ultimate responsibility for software security lies.
One report from Venafi revealed that 97% of senior IT executives agree that software build processes are not secure enough, but they disagree on who should ‘own’ that: 61% of executives said IT security teams should assume responsibility for software security, while 31% think responsibility ultimately falls to the development team.
In any event, a discussion needs to be had, and accountability appropriately apportioned. As cybersecurity should be a shared responsibility, ownership may also be distributed among executives, developers and security teams. Within that, specific responsibilities need to be assigned and understood in order to meet the new government directives.
In Australia, accountability for cybersecurity outcomes increasingly rolls up to executives, though that is split across a number of C-Level roles, according to research by PwC. Obviously, executives aren’t doing the application hardening work but will have to be across it and keep tabs on progress. As such, many would be well-advised to sponsor it, both as a show of support and to drive it forward.
Though security teams may undertake some hardening tasks, it’s more likely that the work will fall to software developers. However, a team of security-skilled developers is essentially the missing ingredient in most organisations. They make security at speed possible, but only when time and resources are spent to unlock that in the team.
Developers should therefore be given every opportunity to lift their skills and share the responsibility for vulnerability detection and eradication. They cannot achieve this in a way that is measurable without hyper-relevant, contextual learning and tools, nor if it’s considered an annual compliance exercise instead of an ongoing skill development pathway.
Doing so represents the best chance we have at raising software standards across the board and finally ushering in a new era of security-skilled developers.