CISA’s Secure by Design effort is ‘tiny’: Not everyone believes in the concept of security by design. Jeff Williams, founder and CTO of Contrast Security and creator of the first OWASP Top 10 list in 2002, told CSO that, in his view, the very first secure-by-design manual was the vaunted August 1983 “Orange Book” produced by the Department of Defense.”The Orange Book was extremely rigorous security,” Williams said. “It embodied all the principles of secure by design. We had to build a formal specification of the design. Then we had to build the actual system. We had to show traceability between the design and the implementation. Then we had to show test results and strong sustainability from the tests to the implementation, and so on. It’s 30 years later, and I don’t believe it anymore.”Williams has become disillusioned with secure by design because its goal is software assurance, whereas the cybersecurity industry has moved on to risk management. “Most organizations do risk management, and assurance is the opposite of risk management,” he said.The industry has moved away from assurance because there is no visibility into the software products they use. “There’s not a lot of transparency in cybersecurity. SBOMs [software bills of material] are the tiniest baby step towards transparency, and they barely tell you anything.”Given his skepticism, it is unsurprising that Williams is not a fan of CISA’s program. “CISA’s Secure by Design program is a tiny effort. It is just a few people with a few documents that came out. It’s not like a big agency is backing this and saying, ‘This is how we’re going to train the world to do security better and fundamentally change how security is done in the market.’”
The path forward is unclear: Given the turmoil surrounding CISA’s staffing levels, it’s unclear how the agency will move forward with its Secure by Design efforts. In a statement, Bridget Bean, currently performing the duties of a CISA director until nominee Sean Plankey can step into the role, shed little light on the question.”CISA remains laser-focused on working across the public and private sectors to improve the nation’s cybersecurity, a critical element of which is ensuring that technology companies do their part,” Bean said. “This is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA’s approaches to Secure by Design evolve, our commitment to the principles remains steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.”Healey referred to the commonly cited aphorism that the government’s policy tools are carrots, sticks, and sermons. “A lot of Secure by Design was all in the sermons,” he said. “That office was largely sermons. They were out there. They would be encouraging. They would be talking about it. It’s that sermon section of it that will go away.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3971375/secure-by-design-is-likely-dead-at-cisa-will-the-private-sector-make-good-on-its-pledge.html
