Security By Design: A Promising Approach to Cybersecurity

Security by design is a cybersecurity concept that aims to prevent vulnerabilities from being introduced into systems, software, and hardware. While it is gaining traction in the industry, it is not yet having a major impact in the real world.

Professor John Goodacre, challenge director – Digital Security by Design, UKRI, explained this approach as “where those vulnerabilities, mistakes and human errors, can be protected by the design of the system” when speaking during the Infosecurity Magazine Autumn Online Summit in 2022.

During the same event, Harman Singh, security expert and consultant said that everything else in cybersecurity, “is a band aid approach, which is quick, superficial or temporary.”

Currently, a huge aspect of cybersecurity revolves around waiting for security issues to become apparent, and then fixing them before they are exploited by malicious actors. This has led to a perpetual patch management cycle, which is becoming increasingly unsustainable amid surging levels of digitization.

This issue is encapsulated by Microsoft’s ‘patch Tuesday’ initiative, in which the tech giant rolls out a fresh batch of vulnerability patches across all its applications every second Tuesday of the month.

Speaking at an event in 2022, Goodacre noted: “They’ve had to create a patch Tuesday mechanism, they’ve worked with the industry to create a database for the vulnerabilities – basically, it’s a major initiative to be able to track cyber issues in today’s technologies.”

Building technologies that are secure by design is a significant challenge requiring buy-in from multiple stakeholders, including developers, manufacturers, academia and governments.

Firstly, it is crucial for software developers to gain the security knowledge and acumen to create code that is secure by design. Forging closer relationships between security teams and developers is one component of building these insights – but this has historically proved challenging.

Developers often perceive security teams as a roadblock to innovation and getting software to market. Conversely, security teams don’t think they are listened to by developers, leading to insecure code being created. As such, efforts must be made to garner greater trust and communication between these teams to understand each other’s needs and find compromises.

Cybersecurity commentators have noted rising cyber-attacks specifically targeting developers. Mitigating these risks requires security teams and developers to increase collaboration.

Another problem in code creation is that developers typically are not given sufficient cybersecurity training during their education at college and university. This is an aspect that cyber experts want to see rectified.

In February 2023, Jen Easterly, US Director of the Cybersecurity and Infrastructure Agency (CISA), called for universities to include security as a standard element in computer science coursework. This came hot on the heels of her address at Carnegie Mellon University, urging the tech industry to take greater responsibility for security by design.

In a recent article for Infosecurity Magazine, Amy Baker security education evangelist, Security Journey, wrote that “students must be exposed to the value of coding securely early on and ensure they can spot basic issues before entering the industry.”

Advanced technologies could also be part of the solution. While the launch of OpenAI’s ChatGPT product in late 2022 raised numerous concerns among security professionals, its potential benefits for the cyber industry have also been highlighted. This includes the technology being used to help developers create more secure code by quickly informing them of known issues and how to fix them. Therefore, it is vital that organizations utilize generative AI technologies to assist developers in creating secure software.

There has been a growing interest and focus from governments on the issue of security by design, and this has led to numerous initiatives to force tech providers to take more responsibility for their products’ cybersecurity. For example, the UK passed legislation placing cybersecurity obligations on the manufacturers of IoT devices in 2022. This includes banning universal default passwords and forcing these companies to be transparent about actions they are taking to fix security flaws in their products.

The US National Cybersecurity Strategy, published in March 2023, has similarly placed more onus on tech providers to take responsibility for the security of their products. This includes requirements on these companies to create a software bill of materials (SBOM), displaying the inventory of components used to develop software.

Meanwhile, in the UK, an ambitious government-backed project is taking place to secure underlying computer hardware – the components upon which software products are developed.

The program is called Digital Security by Design (DSbD) and aims to develop and market hardware components that block vulnerabilities by design. If successful, experts believe around 70% of security software vulnerabilities would be prevented from ever occurring.

Currently, research and testing is being undertaken on prototype architecture, known as the Morello board, to provide insights that enable the technology to be developed further.

However, making such a product commercially viable will be an enormous challenge, requiring significant government and industry buy-in and support to be successful.

Security by design is an approach that requires buy-in from multiple stakeholders – fundamentally, it is a change of mindset, whereby increasing efforts are placed into ensuring security issues do not occur in the first place, rather waiting and mitigating vulnerabilities.

Amid widening attack surfaces and surging attacks, this strategy is essential for enabling security teams to tackle cyber threats and vulnerabilities sustainably in the future.

Enjoyed this article? Make sure to share it!

Looking for something else?