PRINCIPLES AND APPROACHES FOR SECURE BY DESIGN SOFTWARE
We urge software manufacturers to adhere to the principles within this document. Software manufacturers can demonstrate their commitment by publicly documenting their actions taken, in line with the steps listed below. We encourage software manufacturers to find tactics that meet the spirit of
these principles and to create artifacts that will build a compelling case to even skeptical current and potential customers that they are embodying the secure by design philosophy.
In addition to actions software manufacturers should take, customers can also leverage this document. Companies buying software should ask hard questions of their vendors, drawing inspiration from the examples of adhering to the principles listed in this document. In doing so, customers can help to shift the market towards products that are more secure by design. An example of questions customers can ask of vendors is given in CISA’s Guidance for K-12 Technology Acquisitions.
We encourage enterprise customers to incorporate these practices into procurement processes, vendor due diligence assessments, enterprise risk acceptance decisions, and other steps taken when evaluating vendors. Customers should also push their vendors to publicly document the secure by design actions each vendor takes. Collectively, this can create a strong demand signal for security, which can encourage and enable software manufacturers to take steps towards greater security. In other words, just as we seek to create a pervasive secure by design philosophy within software manufacturers, we need to create a “secure by demand” culture with their customers.
Views: 0
