Senior security advisor tells conference that the US agency is examining ways to secure open source.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) wants customers to push software manufacturers to create more secure products, the agency’s senior technical advisor told ISC2 members this week as part of the ISC2 Spotlight event on Secure Software Development.

It is also looking more closely at ways to bolster the security of open-source software, CISA’s senior technical advisor, Jack Cable, told attendees.

The organization published a whitepaper earlier this year on Security by Design, which called for the burden of cybersecurity risk to shift from “least capable” – small companies, schools, and local government for example - to those “most capable”.

Who are the most capable? “That's the manufacturers … that are building these products in a way that have vulnerabilities or misconfigurations that continue to get exploited by attackers.” This is in line with the broader U.S. national security effort around cybersecurity.

Secure by Design is the Default Stance

Ensuring products are both secure by design and secure by default, is central to CISA’s strategy, Cable explained. The former includes actions like detailing artifacts, producing software bills of materials (SBOMs), and laying out roadmaps towards using memory safe languages. The latter includes ensuring products are secure “right out of the box” and don’t place an undue burden on the user.

He explained that CISA was pursuing a three-point strategy where software manufacturers should: own security outcomes, and view customer security as an extension of vendor security; engage in “radical transparency and accountability; and build organizational structures to ensure this “from the CEO down.”

He added, “security can’t be a second-class citizen to sales or growth.”

Cable said one particular interest for him was ensuring that manufacturers have vulnerability disclosure polices, “or ideally bug bounties that offer legal safe harbor so that researchers aren’t scared of legal action. They should allow researchers to talk publicly about their findings.”

The organization’s recently updated whitepaper went into more detail on the actions manufacturers can take to make their products more secure from the outset, he said, rather than leaving it in the hands of users.

“It’s not easy to be a user of tech products today…but everybody has to be a user of tech products,” he continued.

When applications or products are not secure out of the box, customers are “inheriting all this work.” That ranges from resetting default passwords and patching vulnerabilities in the first instance, to longer term burdens such as paying extra for IAM tools, hardening security, and more.

Improving Education to Tackle Cybersecurity

The organization also wants cybersecurity to be a fundamental part of the compsci curriculum rather than an option. Cable noted that of the top 20 compsci universities in the U.S., only one required security to be taught at undergraduate level.

While CISA is pushing industry on this, and the U.S. government was using its own purchasing might to push this agenda, end users had a part to play, he said. “How do we start to get customers really asking more and asking the right questions of their vendors?

“We want customers to really start asking for these… start asking their vendor, ‘What is your secure by design roadmap? Or can you give me your SBOMs?’” Customers should ask suppliers “how are you training your employees, or how are you actually looking for security when you're hiring software developers.”

“The more that … customers can really create that demand signal, the better off we are.”

Shipping insecure software or digital products was a business decision on the part of manufacturers, he said. Often the response to CISA’s efforts was “who’s going to pay?”

But he continued, “Our response is we’re paying for this. It’s just offloaded onto the customers.”

Security by design isn’t free, and isn’t cheap to implement, he accepted. But compared to the existing costs associated with a lack of security, from ransom payments, breach costs, and the costs of additional security, “We think it’s better in the long run.”

And beyond the economic impact, there is a broader issue of the “national security delta”, to consider. An unacceptable lack of security was causing critical infrastructure to be vulnerable to ransomware attacks, he said.

Having customers prioritize security in discussion with suppliers, “and enforcing that through contract language, or their purchasing decisions, I think that is one of the best ways we can go about doing this.”

Not Just a Proprietary Consideration

This was not just an issue for closed source vendors, Cable said. The organization recently ran a request for information in conjunction with other agencies on open-source and memory safety, he said. “We got some very thoughtful responses.”

Cable added, “We want to see how the federal government and CISA can help and spur additional improvements in security recognizing all the many benefits that we've gotten from open-source.”

He noted that the U.S. government was itself a major user of open-source, and “has a responsibility to contribute back.”

The government was building out partnerships with open-source communities, he said. “For instance, principles for security for package managers, who are in a really great position to help raise the security baseline of the open-source community broadly.”

The responses to the request for information would help it work out where it could get the biggest bang per buck, Cable said.

It should be the responsibility of every company producing software, to be good stewards “of the open source that they're dependent upon, that they're integrating and using to sell their products to their customers.”

The pervasiveness of open-source means, “It's really everyone's responsibility who uses open-source software to help maintain that ecosystem.”